In message <20010908180848.A94567@xor.obsecurity.org>
so spake Kris Kennaway (kris):
> The vulnerability involves uucp being made to run arbitrary commands
> as the uucp user through specifying a custom configuration file - see
> bugtraq. There may be other problems resulting from user-specified
> configuration files. I don't have time to go through the code and fix
> up the revocation of privileges right now..in the meantime, this
> prevents the root exploit where a user replaces a uucp-owned binary
> like uustat, which is called daily by /etc/periodic.
Is there really any reason to run uustat as root? Why not just run
it as user uucp via su? For that matter, running non-root owned
executables from daily seems like a really bad idea.
- todd
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message