[root@king may26]# ls -al /usr/bin/gkermit -rwxr-sr-x 1 root uucp 31484 May 10 15:08 /usr/bin/gkermit The problem?G-Kermit CU-1.00, Columbia University, 1999-12-25: POSIX. Usage: gkermit [ options ] Options: -r Receive files -s fn Send files -g fn Get files from server -a fn As-name for single file ... -w Write over existing files with same name -K Keep incompletely received files ... -X External protocol -q Quiet (suppress messages) -d [fn] Debug to ./debug.log [or specified file] -h Help (this message) It does all those things but never drops permissions! For example: [user@king /tmp]$ id uid=200(user) gid=100(users) groups=100(users) [user@king /tmp]$ ls -al /var/log/uucp/log -rw-rw---- 1 uucp uucp 0 Jun 2 18:01 /var/log/uucp/log [user@king /tmp]$ gkermit -d /var/log/uucp/log [user@king /tmp]$ ls -al /var/log/uucp/log -rw-rw---- 1 uucp uucp 282 Jun 2 18:04 /var/log/uucp/log [user@king /tmp]$ cat /var/log/uucp/log cat: /var/log/uucp/log: Permission denied [user@king /tmp]$ su Password: [root@king /tmp]# cat /var/log/uucp/log G-Kermit CU-1.00, Columbia University, 1999-12-25: POSIX MAXPATHLEN = 1024 cmdlin action = (none) ttopen __STDC__ ttopen SIG_V ttopen nonblocking read/write ttopen TINBUFSIZ = 4080 ttopen xonxoff = 0 ttopen noxonxoff = 0 ttopen ttflags 2 ttopen nomodes 0 ttopen nonblock = 1 exit 0 [root@king /tmp]# See it will write to any file writable by user uucp, and it gets worse. Take for example /etc/uucp/passwd: [root@king rawhide]# ls -al /etc/uucp/passwd -rw-r----- 1 root uucp 323 Mar 7 05:39 /etc/uucp/passwd Using gkermit anyone could send that file anywhere because it is readable by group uucp and therefore gkermit will gladly send it. Gkermit either needs to drop permissions before performing any operations dealing with files or it needs to lose the setgid uucp. Either way it presently will give away uucp passwd file which is bad enough by itself. Due to you guys making no files writable by group uucp by default, the scope of this problem is mostly just reading files instead of writing to them which is a good thing when you think about it ;) -Stan Bubrouski
See bug #14539 - this may be nastier than it seems Upgrading severity to security
Removing sgid uucp fixes both I believe, though I agree with the changes Solar Designer suggests in bug #14539
gkermit is not setgid uucp in the latest packages.