From xemacs-m  Thu Apr  3 07:27:08 1997
Received: from frege.math.ethz.ch (root@frege-d-math-north-g-west.math.ethz.ch [129.132.145.3])
	by xemacs.org (8.8.5/8.8.5) with SMTP id HAA20876
	for <xemacs-beta@xemacs.org>; Thu, 3 Apr 1997 07:27:07 -0600 (CST)
Received: from fresnel.math.ethz.ch (vroonhof@fresnel [129.132.145.6]) by frege.math.ethz.ch (8.6.12/Main-STAT-mailer) with ESMTP id PAA18560 for <xemacs-beta@xemacs.org>; Thu, 3 Apr 1997 15:26:13 +0200
Received: (vroonhof@localhost) by fresnel.math.ethz.ch (8.6.9/D-MATH-client) id PAA23976; Thu, 3 Apr 1997 15:22:11 +0200
Sender: vroonhof@math.ethz.ch
To: xemacs-beta@xemacs.org
Subject: Re: A security hole during XEmacs installation
References: <kig7mipznnu.fsf@jagor.srce.hr> 	<m2raguibri.fsf@altair.xemacs.org> 	<199704012241.OAA06912@newman> 	<m2u3lqtesy.fsf@altair.xemacs.org> 	<199704030117.RAA00359@wmperry.in.aventail.com> 	<rviv24slhj.fsf@sdnp5.ucsd.edu> 	<QQcjqd25103.199704030559@crystal.WonderWorks.COM> 	<rvhghoske2.fsf@sdnp5.ucsd.edu> 	<m2afngtxrc.fsf@altair.xemacs.org> <199704030642.WAA20516@nocturne.tmai.com> <m24tdotw8z.fsf@altair.xemacs.org>
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: text/plain; charset=US-ASCII
From: Jan Vroonhof <vroonhof@math.ethz.ch>
Date: 03 Apr 1997 15:22:10 +0200
In-Reply-To: Steven L Baur's message of 02 Apr 1997 23:13:00 -0800
Message-ID: <by67y4ckcd.fsf@math.ethz.ch>
Lines: 15
X-Mailer: Gnus v5.4.37/XEmacs 19.15(beta104)

Steven L Baur <steve@miranova.com> writes:

> If system binaries are owned by a login account, your system security
> is reduced to whatever care they take.  If that account gets infected
> with something like Bliss you might as well be running MS-DOS.

Note that Bliss is a trojan horse. It needs to be run to be effective.
The install program for XEmacs 23.4 could be just as harmfull (and
remove any instances of FSF Emacs 20.678).

If the "normal" working account of the sysadmin gets hosed by a
trojan, then installing as root doesn't help because the su program
might be replaced by a trojan.

Jan

