Acbosgd.2105 net.followup utcsrgv!utzoo!decvax!ucbvax!ihnss!houxi!houxf!houxe!lime!vax135!harpo!cbosg!cbosgd!mark Thu Mar 11 09:41:40 1982 Re: On telling people ont to crack security Come on, folks, it can't be THAT hard to fix your UNIX to disallow the block transmit hook! Here is a proposed fix - refinements are welcome. Modify the /bin/mail (or /etc/delivermail), write, and wall programs to remove all non-printing non-space characters from their input (e.g. keep all isprint, isspace, ' ', and '\08' chars). Change the default mode of terminals from 644 to 600. This requires a different convention for mesg - I propose turning on the owner xqt bit means mesg n. Change write and wall to understand this. write and wall must be made suid, with the appropriate careful check for shell ! escapes. Note that UNIX is more vulnerable to this bug than most systems because other people's tty's are by default writable. There are other systems that don't even have a notion of what the other guys tty is. The solution of not buying any terminal with remote transmit for super users is downright stupid. The very guys who are going to be super users are the ones that expect the most from their terminals, and to get a terminal WITHOUT that feature you probably have to settle for something stupid like an adm3a or tty 33. I know what I'D say if they gave me a choice between a reasonable terminal and the root password. Mark Horton ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.