bill@franklin.com (Bill) (02/14/91)
[I've crossposted this widely because there should be a lot of people who care about this; however, I've directed followups to comp.unix.sysv386.] Interactive's Unix isn't the only one with a really serious security hole. Microport 3.0e, and possibly others from Microport, has an equally awful hole and it is unfixable without kernel hacking. Microport knows about it since I told them about it; I don't know what, if anything, they are going to do about it. If anyone out there wants information on this bug, I will send it to you. Also, I have created a replacement for the offending kernel module of 3.0e and can send that. However, I will only send these to root@yoursite and only if I think that the path to your site is reasonably secure. If you are at the end of an insecure (in my opinion, and I won't change it) path and you still want this information, I will arrange a direct uucp connection to send it. If that won't work, I'll try to arrange something. I won't immediately describe the bug on the net in order to give admins a chance to fix their systems before the crackers get a whack at it. I can't even describe the general area that this bug compromises without making it too easy to trigger it. In a few weeks, after the expected deluge of "what *is* that bug" messages, I will post the informational message I'm sending out. -- Consider said various vicious and incendiary comments about brain dead programmers and inadequate QA. These bugs should *never* have made it out the door and, having done so, they should never have lasted as long as they have. Of course, we can't blame the guys at Interactive and Microport too much; they have had the example (and largely uncomment code) of those guys who gave us the still unfixed (or so I hear) System V inode bug.