Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!ames!ncar!tank!uxc!uxc.cso.uiuc.edu!uxg.cso.uiuc.edu!uicsrd.csrd.uiuc.edu!kai
From: kai@uicsrd.csrd.uiuc.edu
Newsgroups: comp.bugs.4bsd
Subject: security hole in uuq -d
Message-ID: <43800007@uicsrd.csrd.uiuc.edu>
Date: 14 Dec 88 20:54:00 GMT
Lines: 12
Nf-ID: #N:uicsrd.csrd.uiuc.edu:43800007:000:562
Nf-From: uicsrd.csrd.uiuc.edu!kai    Dec 14 14:54:00 1988


There is a serious security hole in the 4.3 bsd /usr/bin/uuq program that
allows everyone to delete anyone's UUCP jobs.  The manpage says that only the
UUCP administrator is permitted to delete UUCP jobs, but experiments have
proven the documentation is incorrect.

It would be preferable if any user were allowed to delete their own UUCP
jobs, but not one belonging to any other user.  Root and UUCP should be
able to delete any UUCP job.

	Thanks
	Patrick Wolfe  (pat@kai.com, kailand!pat, kai@uicsrd.csrd.uiuc.edu)
	System Manager, Kuck and Associates, Inc.