tgl@zog.cs.cmu.edu (Tom Lane) (04/11/90)
I've run into a couple of problems using cu(1) under HPUX 7.0. First, cu seems to flush all its environment variables except PATH and LANG. According to the System Security manual this is now done by all standard setuid-root programs. The trouble with cu doing it is that subprocesses spawned with ~! or ~& don't get any of the rest of the user's environment. This is a REAL serious problem for some cu scripts that I have. Does anyone have a workaround? Second, cu creates a lock file in /usr/spool/uucp while it is setuid root, but then it reverts to the caller's uid. When it quits it is not able to remove the lock file unless /usr/spool/uucp is world-writable. Making it so seems a security hole to me; aren't there a lot of other files kept in that directory? -- tom lane Internet: tgl@cs.cmu.edu UUCP: <your favorite internet/arpanet gateway>!cs.cmu.edu!tgl BITNET: tgl%cs.cmu.edu@cmuccvma CompuServe: >internet:tgl@cs.cmu.edu
mckee@hpfcdc.HP.COM (Bret McKee) (04/13/90)
>First, cu seems to flush all its environment variables except >PATH and LANG. According to the System Security manual this is >now done by all standard setuid-root programs. The trouble with >cu doing it is that subprocesses spawned with ~! or ~& don't get >any of the rest of the user's environment. This is a REAL serious >problem for some cu scripts that I have. Does anyone have a workaround? Unfortunatly there is not convient workaround. I have just completed making the changes for release 8.0 which will correct this problem, but I realize that this doesn't help you right now. If it is a huge problem you might want to go through online support to see about getting a patch. --- Bret Mckee Hewlett Packard HP-UX Development Lab Phone:(303)229-6116 email: mckee@hpmckee or mckee%hpmckee@hplabs.hp.com Copyright (c) Bret Mckee 1990. All Rights Reserved. Of course, these are just my opinions...