Path: utzoo!attcan!uunet!pyrdc!netsys!killer!root
From: root@killer.DALLAS.TX.US (Admin)
Newsgroups: news.admin
Subject: Re: How safe is UUCP? (Was: Virus in the future?)
Summary: incorrect, Judy
Message-ID: <6154@killer.DALLAS.TX.US>
Date: 18 Nov 88 16:58:47 GMT
References: <74@dsoft.UUCP> <196@libove.UUCP> <2654@sultra.UUCP> <4267@moray.UUCP>
Organization: The Unix(R) Connection, Dallas, Texas
Lines: 31

> Another 3b1 user lost his root password and additionally had garbled his
> L.sys file. He told me what he had in his L.sys file, and I logged in on my
> machine as root and made him up another L.sys and then proceeded (with his
> permission and the other party on voice line as this was occuring) to
> *overwrite* his garbaged L.sys so he could call and pick up his mail/files
> or whatever. This is one large security hole, and it comes that way right
> out of the box from AT&T. Default needs to be uucp, /usr/spool/uucppublic.
                                                ^^^^ Never ! Use nuucp.
> 
  The uucp login should NEVER be used for remote access as this is the owner
of /usr/lib/uucp with write permissions on the directory AND files therein. And,
the allowed commands should, at most, be COMMANDS=rmail:rnews. If uucp is an
allowed command, what that machine could be made to do from a remote is rather
interesting to say the least. As a guess, you were probably using the uucp login
for the above process. Do you think it would not be possible for this to be done
from any remote site that could access that machine as uucp ? It would also be
possible to request the L.sys (Systems) file, masquerade as his machine to one
his "knows" and it would be his machine supposedly doing the damage. The 
security "hole" is not in the way it "comes out of the box from ATT" but in
how the SA sets the thing up - it comes with absolutely no setup, leaving this
for the owner to do. Most all *nix systems come "out of the box" with no 
passwords at all on any id. It is the owners responsibility to place these or
suffer the results and not doing so isn't a defect in the way the operating
system is delivered.
 
> Judy Scheltema                |                     uunet!nuchat!moray!judy
> Houston, Texas                |                 bellcore!texbell!moray!judy


                                             Charlie Boykin
                                             killer!root killer!sysop