MOO-cows Mailing List Archive


Re: Fun with FUP and root.

In message <Pine.SOL.3.91.970225215255.749A-100000@schoolnet2>, Neil Fraser wri
> It doesn't take a rocket scientist to figure out that MOOs with FUP and 
> root perms are a dangerous mix, but not every root knows just how 
> flexible a MOO can be (it isn't just a Dungeon game for the kiddies).  
> Fortunately only wizards who  have UNIX accounts can take advanage of 
> this situation when it arises.
Warning : I have never looked at MOO server source, so part or all of
what I'm about to say may make little sense. I'll be pleased to learn
that my fears are unfounded, but please, no flames.

I would tend to disagree with what you say. Experience with large programs
(> 10-20 K source lines) has made painfully obvious that having an account
on a machine is *not* needed to get a root shell. Just for the fun of it,
have a look at bugtraq archives or CERT advisories, or do a Web search for
"buffer overflow". At the moment, MOO has yet to become the security joke
that, say, sendmail is, but I wouldn't bet on it being hole-free, and lack
of public knowledge of the holes is no guarantee of security.

Just my $.02

Michel Lavondes (, speaking only for himself

"Yea, the heavens shall open and the NP-complete solution be given forth.
ATT executives shall give birth to two-headed operating systems, and 
copyrights shall be expunged. The voice of the GNU shall be heard, but
the faithless will be without transceivers." -- Steve Simmons


Home | Subject Index | Thread Index