Xref: utzoo news.admin:4069 comp.mail.uucp:2343
Path: utzoo!attcan!uunet!husc6!mailrus!umix!b-tech!zeeff
From: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Newsgroups: news.admin,comp.mail.uucp
Subject: Re: How safe is UUCP? (Was: Virus in the future?)
Message-ID: <4950@b-tech.ann-arbor.mi.us>
Date: 25 Nov 88 15:21:42 GMT
References: <74@dsoft.UUCP> <196@libove.UUCP> <8623@rpp386.Dallas.TX.US> <178@heart-of-gold> <1970@van-bc.UUCP>
Reply-To: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Organization: Branch Technology Ann Arbor, MI
Lines: 58

In article <1970@van-bc.UUCP> sl@van-bc.UUCP (pri=-10 Stuart Lynne) writes:
>In article <178@heart-of-gold> jc@heart-of-gold (John M Chambers) writes:
>>In article <8623@rpp386.Dallas.TX.US>, jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes:
>>
>details. Most of the problems I know about are fixed in modern uucp's but
>still are extent in a lot of running systems. The moral is if you arn't

>HDB is rumoured to have problems but is probably orders of magnitude safer
>than the older versions.

True, even HDB has security problems (at least some recent versions).  
As most systems are set up, breaking uucp allows you to plant trojan 
horses that just about everyone will run.  This *is* a serious 
problem.  

Here is one thing you can do to help:

/* 

As things are, if someone breaks uucp they can probably break 
everything else by planting trojan horses in /usr/bin.  Here is a 
secure version of uux.  Copy the real uux to /usr/lib/uucp and install 
this as /usr/bin/uux.  Make it suid root.  

---s--x--x   1 root     sys          684 Nov 21 11:17 /usr/bin/uux*

Note that other uucp programs and news have the same problem (no one
should be executing programs owned by a possibly unsecure id).

*/

#include <stdio.h>

#define PROGRAM "/usr/lib/uucp/uux"

/* change these to fit */

#define UID 105                         /* nobody */
#define GID 13				/* none */

main(argc,argv)
int argc;
char **argv;
{

setuid(UID);
setgid(GID);
execv(PROGRAM,argv);

return 1;

}


-- 
  Jon Zeeff			zeeff@b-tech.ann-arbor.mi.us
  Support ISO 8859/1		zeeff%b-tech.uucp@umix.cc.umich.edu
  Ann Arbor, MI			umix!b-tech!zeeff