How secure is UNIX? (Re: Stupid man

[carroll at m.cs.uiuc.edu]

/* Written 11:22 am  May 28, 1990 by dce at smsc.sony.com in m.cs.uiuc.edu:comp.unix.questions */
In article <1990May28.102235.10021 at agate.berkeley.edu> dankg at ocf.Berkeley.EDU (Dan Kogai) writes:
>In article <9000030 at m.cs.uiuc.edu> carroll at m.cs.uiuc.edu writes:
>>in it. Does FTP check for .netrc specially? If not, then this seems to
>>claim that you ftp'd the .netrc and it was that copy that was used,
>>not your 600 .netrc.
>
>	It might be system dependent but ALL ftp I know refuses to use
>.netrc with wrong mode.

Hold on, Dan.  I think that carrol at m.cs.uiuc.edu is asking "when going
a get or a put, does ftp check for .netrc specially".  That is, is it
possible that you did a get/put of everything in a directory, and
that your .netrc got copied to a new place without being protected?
/* End of text from m.cs.uiuc.edu:comp.unix.questions */
Yes, this is what I meant. The scenario I envisioned was,
1. A tar is done on "." or using find, such that the .files are included,
   including the .netrc.
2. The tar file is ftp'd somewhere else, with permissions such that
   another user can get the file (normally or through ftp).
3. This other user then untars the file, and the .netrc, still with 600
   permissions, is also untarred, but _owned by the other user_, because
   that's what tar does (on BSD - on SysV, you have to go to the trouble
   of using the -o flag).
4. Other user then picks the password out of the file.

I can't see how ftp could possibly prevent this from happening, and I strongly
suspect that something very similar to this took place.

Alan M. Carroll                Barbara/Marilyn in '92 :
carroll at cs.uiuc.edu            + This time, why not choose the better halves?
Epoch Development Team         
CS Grad / U of Ill @ Urbana    ...{ucbvax,pur-ee,convex}!cs.uiuc.edu!carroll