[132] in Release_7.7_team
Re: Sendmail vulnerability
daemon@ATHENA.MIT.EDU (Jeffrey I. Schiller)
Sun Jul 17 21:15:34 1994
Date: Sun, 17 Jul 94 20:26:00 EST
From: jis@MIT.EDU (Jeffrey I. Schiller)
To: tytso@MIT.EDU (Theodore Ts'o)
Cc: Marc Horowitz <marc@MIT.EDU>, Matt Braun <mhbraun@MIT.EDU>, holes@MIT.EDU,
release-77@MIT.EDU
Reply-To: jis@MIT.EDU
My understanding of this problem is that it lets local users become
root. This should only be an issue for our dialup servers, right?
Btw. I suspect that we should adopt a strategy where all privileged
(read: setuid root) programs are always on the local hard disk and are
updated against the system packs (perhaps a special area of the system
packs) at every reboot or reactivation (so we can replace them outside
the release cycle). By placing them on the hard drive we can turn off
their setuid bit on the system pack copy. That way as security holes are
found in privileged programs (which is a likely place where such
problems will be found) we are not at risk due to old system packs still
having setuid copies.
-Jeff