Path: utzoo!attcan!uunet!husc6!mailrus!ames!killer!texbell!uhnix1!moray!judy
From: judy@moray.UUCP (Judy Scheltema)
Newsgroups: news.admin
Subject: Re: How safe is UUCP? (Was: Virus in the future?)
Message-ID: <4267@moray.UUCP>
Date: 17 Nov 88 05:13:12 GMT
References: <74@dsoft.UUCP> <196@libove.UUCP> <2654@sultra.UUCP>
Reply-To: judy@moray.UUCP (Judy Scheltema)
Organization: Houston, Tx Bbslist Headquarters
Lines: 42

>> and my /usr/lib/uucp/USERFILE contains
>>  uucp, /
>>  , /
>> 
>> So, how vulnerable am I?
>> Jay Libove		ARPA:	jl42@andrew.cmu.edu or libove@cs.cmu.edu
>I'd have to go and wade through the UUCP documentation again, but it seems to
>me that your USERFILE will allow me (or anyone else) to copy *anything* off
>your system.  This is very wrong.  Try simulating an attack on yourself, by
>logging in as 'uucp' (or nuucp).  See above.
>						- Der
>	dtynan@sultra.UUCP  (Dermot Tynan @ Tynan Computers)

With that listing in your USERFILE, I can write *anywhere* on your hard disk.
Another 3b1 user lost his root password and additionally had garbled his
L.sys file. He told me what he had in his L.sys file, and I logged in on my
machine as root and made him up another L.sys and then proceeded (with his
permission and the other party on voice line as this was occuring) to
*overwrite* his garbaged L.sys so he could call and pick up his mail/files
or whatever. This is one large security hole, and it comes that way right
out of the box from AT&T. Default needs to be uucp, /usr/spool/uucppublic.
Then, as the novice users learn what it is all about, if they want to change
it to permit access to other areas, at least at this point they should have
a bit more knowledge about the implications of the change (theoretically :-)).

Judy

Newsgroups: news.admin
Subject: Re: How safe is UUCP? (Was: Virus in the future?)
Summary: 
Expires: 
References: <74@dsoft.UUCP> <196@libove.UUCP> <2654@sultra.UUCP>
Sender: 
Reply-To: judy@moray.UUCP (Judy Scheltema)
Followup-To: 
Distribution: 
Organization: Houston, Tx Bbslist Headquarters
Keywords: 

-- 
Judy Scheltema                |                     uunet!nuchat!moray!judy
Houston, Texas                |                 bellcore!texbell!moray!judy