What's so special about uudecode?

[Riccardo Pizzi]

In article <3036 at polari.UUCP> tronix at polari.UUCP (David Daniel) writes:

>[]Ha!  I think your vendor has made the *dreadful* error of making
>[]uudecode setuid to uucp "for the convenience of decoding received uucp
>[]files".  I have seen systems where this is a horrible security hole in
>[]that uudecode will allow anyone to make a setuid-to-uucp shell (begin 4755
>
>     [remainder of security hole explanation deleted]
>Even
>though you've told the net at large and who knows how many BBS's 
>around the world exactly how to hack a specific system and possibly 
>others I'll make a suggestion:
>You should have answered this person via e-mail with a cc to root. I'm 
>glad I don't have an account on his system.

I do not agree with you, by the way.
The information about security holes is of big interest for the entire
USENET community; it is stupid to try to hide things like this because of
being afraid of hackers. Just remember: hackers already knows many of them,
while most system admin don't. Not being an hacker, I understand that a system
admin is not able to find all the possible ways to hack a system just because
that is not his goal, but is the hacker's one.

I don't remember the name of the guy who explained the uudecode security hole,
but I want to publicly thank him for the advice.

Rick
--
Riccardo Pizzi @ ESA Software, Rimini, ITALY
e-mail: pizzi%esacs at relay.EU.net -or- root at xtc.sublink.org
Public Access Unix @ +39-541-27858 (Telebit)
<< Object Oriented is an Opaque Disease >>