Path: utzoo!attcan!uunet!cs.utexas.edu!tut.cis.ohio-state.edu!pt.cs.cmu.edu!rochester!bukys
From: bukys@cs.rochester.edu (Liudvikas Bukys)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: anonymous ftp, and the dangers thereof
Message-ID: <1990Jun8.134620.24070@cs.rochester.edu>
Date: 8 Jun 90 13:46:20 GMT
References: <392@minya.UUCP>
Reply-To: bukys@cs.rochester.edu (Liudvikas Bukys)
Organization: University of Rochester Computer Science Dept
Lines: 25

In article <392@minya.UUCP> jc@minya.UUCP (John Chambers) writes:
>> It is not good practice to allow random anonymous users to
>> scribble into directories ...
>
>The obvious counter-example to this is /usr/spool/uucppublic, which
>is almost always world-writable, yet there seem to be no reports of
>even minor problems with this.  It's usually considered a useful
>part of uucp, and an assortment of tools are around (uuto/uupick for
>example) are layered on top of it.
>
>It's true (in fact, it's obvious) that one could fill up a victim's
>disk partition.  But this isn't doesn't seem to trigger call for 
>shutdowns of all uucp sites until the horrible security problems 
>are fixed.  (Well, OK, users of competing packages *do* make such
>calls, but not uucp's users. ;-)

1.  Here's one "minor problem" report: I have heard that .rhosts
    files have been uucped into ~uucp.  Think about it.

2.  Most uucp connections are point-to-point, many (most?) sites
    have a distinct login for each neighbor, and pretty thorough
    logging is done.  Under these circumstances, it is easy to trace
    a culprit back to a specific neighbor machine, and there is
    something you can do about it if no appropriate response is
    heard -- sever your connection to that neighbor.