Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site ariel.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxl!houxm!hogpc!houti!ariel!rick
From: rick@ariel.UUCP
Newsgroups: net.bugs.uucp
Subject: uucp permission bug in reading/writing files
Message-ID: <706@ariel.UUCP>
Date: Wed, 25-Jul-84 17:29:16 EDT
Article-I.D.: ariel.706
Posted: Wed Jul 25 17:29:16 1984
Date-Received: Fri, 27-Jul-84 05:17:54 EDT
Organization: AT&T-ISL, Holmdel, NJ
Lines: 30

DESCRIPTION:

  USG System V "uucp(1)" uses outdated and incorrect code to check whether the
"uucp" has permission to read a source file.  This is not a security violation,
but rather is "overprotective" in assuming that "uucp" is ALWAYS a member of
the "other" (a.k.a. "world") category.  This is unneccessary, and incorrect,
if the file is already owned by "uucp".  In such a case, a test should be
performed by testing the ownership, and alternately, the group membership.

  In preparing this bug report, I also noticed similar problems with writing
files produced by "uucp".

EXAMPLE:

	$ cd /tmp
	$ ls -lda . bugfile
	drwxrwxrwx   3 root     root        1248 Jul 24 15:28 .
	-rw-rw----   1 uucp     uucp           0 Jul 24 15:26 bugfile
	$ uucp bugfile ariel!~/rick/bugfile
	can't read file (/tmp/bugfile) mode (100660)
	$

FIX BY:

  Replace all code reference of "ANYREAD" and "ANYWRITE" in "uucp.c"
with the appropriate "access(3)" code.

				Richard L. Maus, Jr. (Rick)
				AT&T-IS(@BTL) HO 1K313 201-834-4532
				...!ho???!ariel!rick