john@trigraph.uucp (John Chew) (05/25/90)
In <7591@ur-cc.UUCP> Mark Sirota <msir@cc.rochester.edu> writes: >Most sendmails seem to come with the following line in the aliases database: > decode: "|/usr/bin/uudecode" > >Why? What purpose does this serve? It won't work on our system anyway >since we don't have uudecode in /usr/bin, so either nobody's complaining or >nobody uses it. My concern is that it needs to be there for some program or >something. > >So what's the net.wisdom on this one? Kill it? It seems like it might be >a bit of a security hole, too, but I'd rather not go into any more detail >than that here. It's just there for the purpose documented in uuencode(1): so that people can send binary files to your system using "uuencode source dest | mail site!...!site!decode". If you're worried about security, two easy things to do are to replace the alias with a pipe to a script which sed's off any pathnames, and to rename the alias to something other than it's standard name. Or even better, just leave it disabled for maximum security. John -- john j. chew, iii phone: +1 416 425 3818 AppleLink: CDA0329 trigraph, inc., toronto, canada {uunet!utai!utcsri,utgpu,utzoo}!trigraph!john dept. of math., u. of toronto poslfit@{utorgpu.bitnet,gpu.utcs.utoronto.ca}
jik@athena.mit.edu (Jonathan I. Kamens) (05/26/90)
In article <7591@ur-cc.UUCP>, msir@uhura.cc.rochester.edu (Mark Sirota) writes: |> Most sendmails seem to come with the following line in the aliases database: |> decode: "|/usr/bin/uudecode" |> |> Why? What purpose does this serve? It won't work on our system anyway |> since we don't have uudecode in /usr/bin, so either nobody's complaining or |> nobody uses it. My concern is that it needs to be there for some program or |> something. Its alleged "purpose" is to make file transfer between machines easier. One machine can send uuencoded mail to "decode" on the other machine, and have the file automatically uudecoded and installed in the right place (based on the install filename in the uuencoded file). |> So what's the net.wisdom on this one? Kill it? It seems like it might be |> a bit of a security hole, too, but I'd rather not go into any more detail |> than that here. Yes, it's a glaring security hole, and vendors which include it in their standard software distribution should be short, ESPECIALLY if uudecode is installed setuid, which it is, on some systems. For sure, remove it. For sure, make sure your uudecode isn't setuid. If you paid for your sendmail software and that line was in the default aliases, then flame at your vendor for putting it there. Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710