Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!iuvax!bsu-cs!dhesi From: dhesi@bsu-cs.UUCP (Rahul Dhesi) Newsgroups: comp.bugs.4bsd Subject: Re: security hole in uuq -d Message-ID: <5235@bsu-cs.UUCP> Date: 18 Dec 88 17:41:39 GMT References: <43800007@uicsrd.csrd.uiuc.edu> Reply-To: dhesi@bsu-cs.UUCP (Rahul Dhesi) Organization: CS Dept, Ball St U, Muncie, Indiana Lines: 13 In article <43800007@uicsrd.csrd.uiuc.edu> kai@uicsrd.csrd.uiuc.edu writes: There is a serious security hole in the 4.3 bsd /usr/bin/uuq program that allows everyone to delete anyone's UUCP jobs. I recommend the following: # chown uucp.daemon uuq # chmod 101 uuq; chmod g+s uuq This makes uuq set-gid to daemon. Then make sure all your uucp jobs are in files that are readable by daemon but not writable by it. -- Rahul Dhesi UUCP: !{iuvax,pur-ee}!bsu-cs!dhesi