Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1a 7/7/83; site rlgvax.UUCP
Path: utzoo!linus!security!genrad!decvax!harpo!seismo!rlgvax!guy
From: guy@rlgvax.UUCP (Guy Harris)
Newsgroups: net.bugs.uucp
Subject: Re: Security hole on systems with drwxrwxrwx /usr/spool/uucp
Message-ID: <1358@rlgvax.UUCP>
Date: Wed, 2-Nov-83 11:45:15 EST
Article-I.D.: rlgvax.1358
Posted: Wed Nov  2 11:45:15 1983
Date-Received: Sun, 6-Nov-83 09:48:03 EST
References: utcsrgv.2588 <967@utah-gr.UUCP>
Organization: CCI Office Systems Group, Reston, VA
Lines: 10

The "-x" option can't be given to any UUCP program under the 4.2BSD UUCP
unless your UID is under a certain magic number, specified in "uucp.h".
We changed it so that it wouldn't let you use the "-x" option unless you had
read permission on /usr/lib/uucp/L.sys, which avoids magic numbers and gives
you the effect you really want (i.e., people can't run "uucico" to some
system, turn the debugging up, and get told that system's login sequence for
UUCP).

	Guy Harris
	{seismo,ihnp4,allegra}!rlgvax!guy