brad@looking.UUCP (Brad Templeton) (11/06/88)
Let's face it, something like this had to happen on internet someday. That much complex software with deliberately limited security? Of course it would, and will again. This virus displayed one of the nastiest holes you can have in a system. Root access to every vax/sun with a debug-enabled sendmail program. Very nasty things could have been done. Everybody has learned a lesson cheap. There will be more lessons in the future, in other new ways, but this lesson will help people who write future code. While everybody knows that the programs that do network communication, like sendmail, should be extra secure, a program that complex is bound to have a hole here or there. Perhaps the lesson is that programs that do accept input from the outside world must *NOT* run as root, or must do their root stuff in an independent, simpler, security checked process. (Perhaps the multics boys were right?) -- Brad Templeton, Looking Glass Software Ltd. -- Waterloo, Ontario 519/884-7473
vixie@decwrl.dec.com (Paul Vixie) (11/08/88)
Here we go with the second-order effects. We're going to use more bandwidth
arguing about this then the worm used. But as long as everyone is going to
pontificate, let me set one or two facts straight along the way...
# This virus displayed one of the nastiest holes you can have in a system.
^^^^^
# Root access to every vax/sun with a debug-enabled sendmail program.
^^^^
# Very nasty things could have been done.
If root access had been given, no doubt nastier things could have been done.
But root access wasn't given. Sendmail runs as root but setuid(2)'s
whenever it's about to try to deliver something. It setuid(2)'s to the
sender, if the message was generated locally; otherwise it setuid(2)'s to a
(more or less) hardcoded "1", which is usually "daemon" on BSD-type systems
and which generally has less ability to scribble on important files than
"root" would have.
Yes, having random code imported to your system and executed as daemon is an
ugly and unsettling thing, and it's, um, "evil and rude" :-), but it is just
a little bit (one notch, maybe) less troublesome than if it ran as root.
And, although every newspaper in the country and half the administrators on
the Internet want it to be a "virus", it was really a "worm".
--
Paul Vixie
Work: vixie@decwrl.dec.com decwrl!vixie +1 415 853 6600
Play: paul@vixie.sf.ca.us vixie!paul +1 415 864 7013