Re: Fwd: Multiple vendor 'Taylor UUCP' problems.

From

Andrey A. Chernov <ache@nagual.pp.ru>

Date

8 Sep 2001 19:00:35

Subject

Re: Fwd: Multiple vendor 'Taylor UUCP' problems.

Message-ID

20010909055903.A34519@nagual.pp.ru

In reply to

Kris Kennaway (freebsd-security) , Kris Kennaway

References to

Mike Tancsa (freebsd-security) , Matt Dillon (freebsd-security) , Kris Kennaway (freebsd-security) , Kris Kennaway (freebsd-security) , Kris Kennaway, Kris Kennaway (freebsd-security) , Andrey A. Chernov, Andrey A. Chernov (freebsd-security) , Kris Kennaway, Kris Kennaway (freebsd-security) , Todd C. Miller, Todd C. Miller (freebsd-security) , Kris Kennaway (freebsd-security) , Kris Kennaway

Referenced by

Kris Kennaway, Kris Kennaway (freebsd-security) , Andrey A. Chernov, Andrey A. Chernov (freebsd-security) , Mike Tancsa (freebsd-security) , Kris Kennaway (freebsd-security) , Mike Tancsa (freebsd-security) , Matt Dillon (freebsd-security)

[ Hide this part ]

On Sat, Sep 08, 2001 at 18:54:15 -0700, Kris Kennaway wrote:
>
> Yeah, thats probably a good change to make.  However the uucp
> vulnerability still lets e.g. arbitrary users read/modify uucp spool
> data, create files, access the uucp:dialer devices, etc.

All you mention is historical old-days uucp subsystem bad 'features', it
is not fool proff and require ethic behaviour of its users. To eliminate
this things main uucp developers must be contacted, because this things
hardly integrated in normal usage flow and can't be deattached easily.

I.e. it is not FreeBSD security problem but uucp problem (as designed).
All we need is to protect uucp binaries from modifications (via schg).

--
Andrey A. Chernov
http://ache.pp.ru/

[ Show this part (application/pgp-signature) ]