Message-Id: <m0m6OCe-0003GcC@reed.edu>
From: trost@reed.edu (Bill Trost)
Sender: decstation-managers-relay@stc06.ctd.ornl.gov
To: decstation-managers@ornl.gov
Cc: root@reed.edu
Subject: more security holes
Date: Fri, 10 Jul 92 11:41 PDT

Anyone have any idea why /usr/bin/mail is setgid kmem?  One of my
coworkers just demonstrated his password snarfer by using a shell
escape from mail. The program was published in Informatik 4, available
as ftp.eff.org:/pub/inform/inform-4.

I'm also told the mail does not work if you remove its setgidness.
Yay DEC....