From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: from minnie.tuhs.org (minnie.tuhs.org [50.116.15.146]) by inbox.vuxu.org (Postfix) with ESMTP id BF86C21DAB for ; Thu, 2 Jan 2025 04:06:13 +0100 (CET) Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id 631714278F; Thu, 2 Jan 2025 13:06:07 +1000 (AEST) Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) by minnie.tuhs.org (Postfix) with ESMTPS id 4FA494278E for ; Thu, 2 Jan 2025 13:05:53 +1000 (AEST) Received: by mail-vs1-xe30.google.com with SMTP id ada2fe7eead31-4afdf8520c2so3308609137.2 for ; Wed, 01 Jan 2025 19:05:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dartmouth.edu; s=google1; t=1735787152; x=1736391952; darn=tuhs.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=H4uhrU7fd/k8O7kml2vlTcB7jQwD5Q8tMACfUjus8+Y=; b=J5kqP6sV1oCw8uQTJ+6BEhajSMLkxZ+e19dKIQLQ/N6maqSZpBJeZBfBTrIsQ2gaa3 EVpeTLaagHhLIr0hm1Lh3v1DlLqJfm/EbvGtvWIdOtCUJAGggzguVE1dq3lQgv8w3Lyg QVlc680T9ijbzwq1IneT6vDrQVsUy9Joi4nCWmiK05xAanlSjVV2zlowQoeSnliYwB4B YeAzOu7xgZeAmc9VStRvDXK3wyjYPUN0OGjMq7yqoiuie+UZ7JsyhcRB4ztN39cnIv4J yY+MtkxnFLL5iUCStiA9ivAKUUMM9H+SshI760P2pMkY47CzDHp29vdXSvynluoBTMJH X7gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735787152; x=1736391952; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H4uhrU7fd/k8O7kml2vlTcB7jQwD5Q8tMACfUjus8+Y=; b=guQX01E9gPq6L4YPqz6WA1IPo9s5V+WNz9QsozI7mhgI6PrBlm8dH+qkAg+q1GnK3H dmJTg30GL7XpRSc1KIkUNJTDr+1qupE5nH6OYM/GYFxy6xUcn3tmHv4LqLBAMZYVsRwd S2foKnxJMPg8ObR+BQX3vNPg0wlAY07I7pHUshxrfCHMui5BRe25kDsHfKXEVncN0R79 t9vsdF/Qa14VLEiD+6EXukMw9Ff14m5pkuuHBqsf8gjq0Sns3Et8w9R/6wv1y3mBIBZ1 2ghelncRXpON1P2hxHuVKg8GQtSg/9vgzbU7FsapG4z2ABhe0iYYLV8eKIOapxA1E8g9 ONkg== X-Forwarded-Encrypted: i=1; AJvYcCVimYbBPr1YFQvth8sjermozYdUu/czDmd9+jsIPAO60FRfOV0MO/3795XJTrbAcE9W8HfS@tuhs.org X-Gm-Message-State: AOJu0YwEHmr+UY9d3rDkmV4Iw5j0oFIq3/hRck+jr+k2zg9Wym1I8EiE M4ppvbnqESS9Ou1DX+kb0qTvpAe+uCo5Y39+be9D+Eeyj+kAXVEG7DUMrS1+CxDcNX+ATkcWezK /ctt1l0BQnDtwO8y3ZqNCtM9VlrO0L10772UiuA== X-Gm-Gg: ASbGncvyzj+Z4p6ZKq+Wiu7tu0inGHFcxH0OqbnOFJtjNHb7g/GHMK6pUqe83AkkxBQ HkONeaOuLjr2duo67WujyTSfRgDq4MNcGHZXeegIA X-Google-Smtp-Source: AGHT+IHshgEvE0Kk7v1DDTcwmAz+CV+j4YbLkGcFBiu+vXxpHl5y8SwBYMkZnbfFgtiFl5F0vBxOwWSjw8dBD2qs/Dk= X-Received: by 2002:a05:6102:6e88:b0:4b2:cc94:1e61 with SMTP id ada2fe7eead31-4b2cc9420dbmr28019183137.2.1735787152429; Wed, 01 Jan 2025 19:05:52 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Douglas McIlroy Date: Wed, 1 Jan 2025 22:05:38 -0500 Message-ID: To: Rik Farrow Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: SNU3WF5G3BAH27YZSTT65DO3MKYDLNWJ X-Message-ID-Hash: SNU3WF5G3BAH27YZSTT65DO3MKYDLNWJ X-MailFrom: douglas.mcilroy@dartmouth.edu X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tuhs.tuhs.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: TUHS main list X-Mailman-Version: 3.3.6b1 Precedence: list Subject: [TUHS] Re: "Webster's Second on the Head of a Pin"? List-Id: The Unix Heritage Society mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: I think $IFS ranks at the top of Jim's cabinet of horrors. For our multilevel-secure Unix (https://www.cs.dartmouth.edu/~doug/IX), he took almost everything out of the administrative shell, nosh (the no-shell shell), The classic /bin/sh was not endowed with any of the capabilities necessary to override Bell-LaPadula-Biba secrecy or integrity constraints. On Wed, Jan 1, 2025 at 1:11=E2=80=AFPM Rik Farrow wrote= : > > I wonder what Reeds meant. I know there are issues. For example, the 3B2 = I administered for a while in the late 80s had multiple accounts with rsh, = the restricted shell, as the login shell. That was okay, unless you used su= and then had access to a root shell. > > HP/UX was way worse, with over 120 SUID shell scripts in the 90s. A much = more interesting example of insecurity. But somehow, I'm guessing that's no= t what Reeds wrote about. > > Rik > > > On Wed, Jan 1, 2025 at 8:02=E2=80=AFAM Douglas McIlroy wrote: >> >> I have it and will try to scan it in the next few days. Bug me if it >> doesn't appear. >> >> Doug >> >> On Tue, Dec 31, 2024 at 11:37=E2=80=AFAM Chet Ramey wrote: >> > >> > On 12/29/24 8:44 AM, Douglas McIlroy wrote: >> > > I can supply a copy if no one else has beaten me to it. >> > > >> > > Ron Hardin subsequently pushed the limit even further. Unfortunately= , >> > > I do not have a record of that work. >> > >> > Along these same lines, does anyone on the list have a copy of >> > >> > "J. A. Reeds, /bin/sh: The biggest UNIX security Loophole, >> > 11217-840302-04TM, AT&T Bell Laboratories, Murray Hill, NJ (1984)"? >> > >> > Years ago, in another lifetime, I wrote and asked him for a copy, but >> > never got a reply. >> > >> > -- >> > ``The lyf so short, the craft so long to lerne.'' - Chaucer >> > ``Ars longa, vita brevis'' - Hippocrates >> > Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~ch= et/