Path: utzoo!mnetor!uunet!cbmvax!rutgers!mtunx!jhc
From: jhc@mtunx.ATT.COM (Jonathan Hawbrook-Clark)
Newsgroups: comp.mail.uucp
Subject: Re: HDB uucp security hole ?
Message-ID: <2168@mtunx.ATT.COM>
Date: 8 Apr 88 04:03:45 GMT
References: <4210002@hpirs.HP.COM>
Reply-To: jhc@mtunx.ATT.COM (Jonathan Hawbrook-Clark)
Organization: AT&T ISL Middletown NJ USA
Lines: 16

In article <4210002@hpirs.HP.COM> dennis@hpirs.HP.COM (Dennis D. Lee) writes:
>  On AT&T System V.2.1 uucp (HoneyDanBer) , the remote system's password is
>  printed when using the -x option with a level higher than 3. 

I won't swear that this is the case in the version you reference, but
at least in later versions such debugging information can be restricted
such that it is only printed out when the GID of the invoker passes
certain tests. Typically the code is built such that the information
is printed when 'root' is running uucico by hand, otherwise a string
of question marks is emitted. However, this is a compile-time option,
and whoever built the code can set it up any way s/he wants.
-- 
Jonathan Clark		jonathan.clark@mtune.att.com, attmail!jonathan
Any affiliation is given for identification purposes only.

The Englishman never enjoys himself except for some noble purpose.