Path: utzoo!utgpu!water!watmath!uunet!labrea!rutgers!bellcore!tness7!bigtex!james From: james@bigtex.uucp (James Van Artsdalen) Newsgroups: unix-pc.general Subject: Re: UNIXPC uucp problem Message-ID: <4088@bigtex.uucp> Date: 16 Jul 88 04:21:26 GMT References: <1988Jun27.202651.9458@ziebmef.uucp> <103@cjsa.UUCP> <1988Jul4.173733.7088@ziebmef.uucp> Reply-To: james@bigtex.UUCP (James Van Artsdalen) Organization: F.B.N. Software, Austin TX Lines: 32 IN article <1988Jul4.173733.7088@ziebmef.uucp>, cks@ziebmef.UUCP (Chris Siebenmann) wrote: > Actually, all uucp dialins have to share the same UID as 'uucp'. If uucico should be suid to the uucp user. uucico doesn't care what the real uid is. It does use the login name to reference the Permissions file (assuming we're talking HDB uucp). > In hindsight, this makes sense; it means that people can't just > invoke uucico from their own accounts and pretend to be some random > machine. Instead you somehow have to set your uid to the 'uucp' UID. > Could have been worse, I suppose; they could have hardcoded the uucp Actually, I understand that the uucp uid is indeed a configurable constant in the uucp package. I can't imagine what it's used for though: if someone forgets to make uucico suid, that will be obvious soon enough, and file read/write permissions are based on the Permissions file and whether or not the file is readable/writable by "other". The security measures to prevent someone from spoofing uucp this way revolve around the use of the Permissions file and the VALIDATE keyword (if you don't use VALIDATE, do so). When uucico is started in master mode, the transfer permissions are granted based on the machine name. But when uucico is started in slave mode (as it would be if a user ran it), permissions are granted based on the login name, *not* the machine name. This is why VALIDATE is so important. Note that uucico takes the login name from /etc/utmp to prevent spoofing (or at least it should). -- James R. Van Artsdalen ...!ut-sally!utastro!bigtex!james "Live Free or Die" Home: 512-346-2444 Work: 328-0282; 110 Wild Basin Rd. Ste #230, Austin TX 78746