UUCP security
Michael
michael at stb.UUCP
Mon May 16 07:14:18 AEST 1988
In article <234 at ateng.UUCP> chip at ateng.UUCP (Chip Salzenberg) writes:
>In article <7049 at mcdchg.UUCP> heiby at mcdchg.UUCP (Ron Heiby) writes:
>>I'm uid=501(heiby) gid=101(mot) on my system, and bunches of "?" are
>>displayed instead of sensitive information when I invoke uucico.
>>When I invoke uucico while logged in as "root", I get to see everything.
>>If your implementation does not do this, then it should be fixed
>>by your vendor.
>
>Actually, what should be fixed are the access permissions of uucico: 6770.
>
[details ommited]
Actually, there is something much better than this: 2770.
All the uucp programs should use set-G-id for protection; it is sufficient
to maintain security. The problem with set-U-id, especially for uucp, is
that uucp and uux cannot read your files unless they are world-readable,
which means anyone can read them, and the whole security feature is lost.
Michael
: ---
: Michael Gersten uunet.uu.net!ucla-an.ANES\
: ihnp4!hermix!ucla-an!denwa!stb!michael
: sdcsvax!crash!gryphon!denwa!stb!michael
: "Machine Takeover? Just say no."
: "Sockets? Just say no." <-- gasoline
More information about the Comp.unix.xenix
mailing list