Index Home About Blog
Newsgroups: comp.risks
X-issue: 7.74
Date: Wed, 9 Nov 88 23:01:29 EST
From: <Steven Bellovin> <hector!smb>
Subject: The worm and the debug option

Sorry -- in both Berkeley's and Sun's standard distribution, debugging comes
enabled.  That's perhaps defensible from Berkeley; they're distributing a
research system, to customers prone to tinker, and sendmail is certainly
complex enough to need lot's of debugging.  Nor can I necessarily criticize
it from Sun; it's often useful to be able to trace such a program.  The flaw
is not that debug mode was possible; rather, that sendmail's debug mode (a)
was accessible remotely; and (b) expanded the range of inputs accepted by
the program, rather than just providing extra trace data.  What's even more
amazing is the statement Eric Allman (the author of sendmail) was quoted in
the N.Y. Times as making:  that he added that code to get around restrictive
management policies.  That is, it was a deliberate back door, albeit one
with a nominally-limited intended scope.  10-Nov-88

Index Home About Blog