[17801] in Athena Bugs
Re: security hole?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Apr 20 16:17:25 2000
Message-Id: <200004202017.QAA04263@small-gods.mit.edu>
To: Ron Hoffmann <hoffmann@MIT.EDU>
Cc: bugs@MIT.EDU
In-Reply-To: Your message of "Thu, 20 Apr 2000 14:41:00 EDT."
<200004201841.OAA22217@Paddington.MIT.EDU>
Date: Thu, 20 Apr 2000 16:17:20 -0400
From: Greg Hudson <ghudson@MIT.EDU>
> Take an ultra* with the current field release, detach it's packs and
> attach decstation packs.
Did you actually succeed in doing this as a non-root user? (One who
isn't listed as trusted in /etc/athena/attach.conf, also.) That
shouldn't be possible.
> Before it reactivates and gets useful packs, try and log in as root.
> You will find that after providing the username and <cr> you'll get
> a bunch of errors, and then a shell prompt.
That shouldn't happen, of course; the relevant software should be
local (and appears to actually be local as far as I can tell). I'll
try it when I get the chance.
