SECURITY BUG IN INTERACTIVE UNIX SYSV386

Piercarlo Grandi pcg at cs.aber.ac.uk
Tue Feb 19 08:46:30 AEST 1991 

On 18 Feb 91 02:04:24 GMT, davidsen at sixhub.UUCP (Wm E. Davidsen Jr) said:

davidsen> In article <27B93F44.5606 at tct.uucp> chip at tct.uucp (Chip
davidsen> Salzenberg) writes:

	[ .. on the appalling trapdoor in SysV 3.2 that turns the Unix
	kernel itself into a trojan horse ... ]

davidsen> I am amazed that the companies didn't fix it instantly and
davidsen> send it by registered express mail to every owner.

And admit that the problem exists? The first thing their attorney will
have told them must have been "don't admit anything". They tried to hush
things initially.

davidsen> In today's litigatious climate, I can see a jury finding them
davidsen> negligent.

Negligent of what? Technically and practically, all these vendors are
just selling you defect free floppies. The usefulness of their contents
are explicitly disclaimed in every possible way. Only an irresponsible
person does not read the warranties, especially when they are so clear
and explicit. You may think that uniform warranty legislation is the
answer, but then this would kill off free sw of any type.

I think that in legal terms, and in practical terms as well, the
perpetrators of this debacle have been perfectly honest -- they *do*
sell you defect free floppies, and if they are not defect free they will
eventually (slowly, apparently :-/) replace them with defect free ones
for a period of up to 90 days. They promise you something, they keep
their promise. Don't take them to task for failing to deliver soemthing
they have never promised, like Unix, or a secure Unix, or a Unix in
which there are no trapdoor.

For all we know there is the in System V shell a secret "becomeroot"
command that allows those "in the know" to become root exploiting the
u-area trapdoor. How do you know there is no such command or option? Do
any of the System V suppliers promise you that there is no such thing?
No, actually they disclaim any representation to this effect.

If *you* think that you are purchasing a Unix product, that's *your*
problem. You are in fact purchasing System V brand defect free floppies,
for over $1,000. Up to you to decide whether a set of defect free
floppies (and a chance, for which you take all responsibility, at
running whatever is recorded on them) is worth $1,000. You are never
misled about what your money is really buying.

Naturally we both know what's the _real_ story, but what is written
above seems to me logically flawless. Much more dangerous
misunderstandings can happen:

I remember a jerk that had complained that the Internet Worm had caused
a downtime of two days on his Unix based network and his organization
could not afford a two day downtime for the whole network. I would have
promoted the jerk to assistant janitor on the spot, because somebody
that cannot afford a two day downtime cannot run software whose warranty
states that in the event of problems *you* are liable to pay damages to
the software's *supplier*.
--
Piercarlo Grandi                   | ARPA: pcg%uk.ac.aber.cs at nsfnet-relay.ac.uk
Dept of CS, UCW Aberystwyth        | UUCP: ...!mcsun!ukc!aber-cs!pcg
Penglais, Aberystwyth SY23 3BZ, UK | INET: pcg at cs.aber.ac.uk

More information about the Comp.unix.sysv386 mailing list