USERFILE, can this be true?

[Stuart Gathman]

After years of trying to use the userid field in /usr/lib/uucp/USERFILE,
I finally figured out what it is.  It appears to be the userid of
the person initiating the request on the *remote* machine.  

All this time I thought it was the uucp login assigned to the remote
machine.  This seems incredible.  The assumption seems to be that 
all connected machines are trustworthy, and only users need be regarded
with suspicion.  Any machine with any uucp password can masquerade as
any other machine.

Is this true?  Is there any thing that can be done?  (Other than
get HDB.)  Is there any way to restrict a particular uucp login?
-- 
Stuart D. Gathman	<stuart at bms-at.uucp>
			<..!{vrdxhq|daitc}!bms-at!stuart>