Xref: utzoo news.sysadmin:1952 news.admin:4316
Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!pyramid!epimass!jbuck
From: jbuck@epimass.EPI.COM (Joe Buck)
Newsgroups: news.sysadmin,news.admin
Subject: Re: rnews: security hole. Too bad.
Keywords: bug
Message-ID: <2737@epimass.EPI.COM>
Date: 16 Dec 88 17:35:06 GMT
References: <1219@altger.UUCP> <2567@stpstn.UUCP> <1299@vsi1.COM>
Reply-To: jbuck@epimass.EPI.COM (Joe Buck)
Organization: Entropic Processing, Inc., Cupertino, CA
Lines: 26

In article <2567@stpstn.UUCP> aad@stpstn.UUCP (Anthony A. Datri) writes:
=If you're going to send articles somewhere, you've got to
=have some other machine that's explicitly willing to take it from you,

In article <1299@vsi1.COM> lmb@vicom.COM (Larry Blair) writes:
>Not true.  You can dump news on any system that you have a uucp connection
>to.  I could dump all of our news on, say, osu-cis, if I wanted to.  About
>the only way they could stop me would be to remove "rnews" from the L.cmds
>file (or remove the anonymous login).

It depends.  If you run HDB UUCP, there is no such file as L.cmds.
The Permissions file allows you to specify separate sets of legal
commands for each neighbor, and only permit your official Usenet
neighbors to execute "rnews".  An archive site that permits anonymous
UUCP could prevent the "anonymous" login from sending mail or news, if
desired, permitting nothing but file transfers from a specified
directory, while official news and mail neighbors pound away.  So, if
osu-cis were configured this way, then no, you couldn't dump news on
them.


-- 
- Joe Buck	jbuck@epimass.epi.com, or uunet!epimass.epi.com!jbuck,
		or jbuck%epimass.epi.com@uunet.uu.net for old Arpa sites
I am of the opinion that my life belongs to the whole community, and as long
as I live it is my privilege to do for it whatever I can.  -- G. B. Shaw