Xref: utzoo comp.mail.uucp:1311 comp.unix.xenix:2280
Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!ucsd!ucsdhub!hp-sdd!hplabs!sdcrdcf!trwrb!ucla-an!remsit!stb!michael
From: michael@stb.UUCP (Michael)
Newsgroups: comp.mail.uucp,comp.unix.xenix
Subject: Re: UUCP security
Message-ID: <10295@stb.UUCP>
Date: 15 May 88 21:14:18 GMT
References: <4210002@hpirs.HP.COM> <7049@mcdchg.UUCP> <234@ateng.UUCP>
Reply-To: michael@stb.UUCP (Michael)
Organization: STB BBS, La, Ca, Usa, +1 213 459 7231
Lines: 25

In article <234@ateng.UUCP> chip@ateng.UUCP (Chip Salzenberg) writes:
>In article <7049@mcdchg.UUCP> heiby@mcdchg.UUCP (Ron Heiby) writes:
>>I'm uid=501(heiby) gid=101(mot) on my system, and bunches of "?" are
>>displayed instead of sensitive information when I invoke uucico.
>>When I invoke uucico while logged in as "root", I get to see everything.
>>If your implementation does not do this, then it should be fixed
>>by your vendor.
>
>Actually, what should be fixed are the access permissions of uucico: 6770.
>
[details ommited]

Actually, there is something much better than this: 2770.

All the uucp programs should use set-G-id for protection; it is sufficient
to maintain security. The problem with set-U-id, especially for uucp, is
that uucp and uux cannot read your files unless they are world-readable,
which means anyone can read them, and the whole security feature is lost.

			Michael
: --- 
: Michael Gersten          uunet.uu.net!ucla-an.ANES\ 
:				 ihnp4!hermix!ucla-an!denwa!stb!michael
:				sdcsvax!crash!gryphon!denwa!stb!michael
: "Machine Takeover? Just say no."
: "Sockets? Just say no."     <-- gasoline