Binary Programs on Info-Iris

James Helman jim at baroque.Stanford.EDU
Tue Sep 25 11:01:47 AEST 1990 

    1) Binaries should not be posted to the net: I have been slated by
    workmates, quite rightly, for attempting to run Pauls program on
    our machine.  The net is not secure and running binaries straight
    off it (even if the appear to come from sgi) is not a good idea.

The same is true of large source code distributions as well.  I have
looked at only a small fraction of the source code off the net which
I've compiled, some of it installed suid root.  Any piece of it could
be dangerous, but not necessarily by intention.  A good example is the
recent XView source code distribution, whose original makefile (which
was quickly corrected and disseminated thanks to the net) did an "rm
-rf ../../."  in response to a "make clean."  Another was the gnuemacs
makemail security "hole", which resulted from someone incorrectly
installing suid root a program which was not designed for and did not
need to be installed that way.

I think it's important to raise the issue.  Sysadmins of lots of
machines right on the Internet are too complacent about security, not
even bothering to put passwords on user, and often even system,
accounts.  Others are too paranoid and want to forbid use of any
software from the net.  They both worry me.

Everyone should remember what can happen, even when your machine is
running mainstream software:

    Received: by thrush.STANFORD.EDU (3.2/4.7); Thu, 3 Nov 88 03:36:02 PST
    Subject: Sun & Vaxen virus ALERT!
    Date: Thu, 03 Nov 88 03:36:00 PST

    This evening our cluster of Suns and Vaxen started having a fit.
    Sluggish.  Heavy load.  The finger daemons were buzzing and lots
    of sh's and rsh's started popping up.
				. . .
    Yep, someone is spreading a virus across the ethernet by executing a
    shell commands via sendmail.  The shell script compiles and runs a C
    program which opens an ethernet connection to copy the full virus from
    an infected machine.  Apparently, it then looks for ways to propagate
    itself to other machines.  I've managed to intercept a copy of the
    receptor program by creating a fake sed.  But so far, I haven't been
    able to get a full copy.  This virus doesn't appear to do any damage
    other than creating a heavy load and possibly crashing the machine
    when resource limits are exceded.

Whether risking network software is worthwhile depends on how much you
trust the source and how much you want the software.  And most of us
want software real bad.

Most of the past damage hasn't been caused by malice, but by goofs.
Let's hope both consumers and suppliers of code are careful enough to
avoid any disasters.  It's too valuable an exchange to give up.

Jim Helman
Department of Applied Physics			Durand 012
Stanford University				FAX: (415) 725-3377
(jim at KAOS.stanford.edu) 			Work: (415) 723-9127

More information about the Comp.sys.sgi mailing list