Re: vulnerability in satan, cops & tiger

[zen () TROUBLE ORG (d)]

> Cops v1.04 (see below for a patch)
[...]

> All the following bugs can be used to create or overwrite any file on the
> system, because these applications run usually under the root id.

There's no reason to run COPS as root; indeed, it explicitly says in
the docs that you shouldn't.  Also, the res_diff bug only affects people
running it out of cron (it examines the difference in the last run.)
Checkacct & mail.chk are not used in the normal cops run also.  (Shame
on me for doing this anyway, even if it was almost 10 years ago; I used
same-dir temp files for everything else.)

I won't comment on satan, 'cuz wietse already did.

> closing remarks: I was shocked when I found these bugs. These security tools
> have been around since years - and yet nobody had checked this ??

I had found the problems in cops (in res_diff, not the other programs; one
wasn't even mine) but never got around to releasing a patch - hardly an
earth-shattering problem, IMHO.

> If this is a reflection of our security consciousness, well, we are in big
> trouble since a long time and things are not getting better (especially with
> M$ around)

Believe me, the security conciousness of today is light years ahead of
where we where back when, which shows you how pathetic things were then.

However, it's good to see someone putting effort into these things -
keep up the work.

dan