Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!cornell!batcomputer!itsgw!steinmetz!uunet!seismo!rick
From: rick@seismo.CSS.GOV (Rick Adams)
Newsgroups: news.admin
Subject: Re: Is uunet a security hole?
Summary: uutry must be broken
Keywords: uucp logins security
Message-ID: <44466@beno.seismo.CSS.GOV>
Date: 30 Dec 88 17:37:53 GMT
References: <10420@rpp386.Dallas.TX.US> <44465@beno.seismo.CSS.GOV> <300@ssbn.WLK.COM>
Organization: Center for Seismic Studies, Arlington, VA
Lines: 13

> I set up a separate group that is exclusively for uucp neighbors and my
> own local user account.  I then removed "other" execute permissions from
> uucico and Uutry and "other" write permissions from almost everything.
> This keeps a mischievious local user (I'm not aware of any) from running
> a uucico by hand and watching the phone number and login information from
> being displayed or doing it with Uutry and having it saved to a file!
> Putting my local account in that group lets me work with the Systems, etc.
> files without having to su.

If uutry allows people without normal read access (i.e. use the access
system call on the System file) to run uucico with debugging, then it
is badly broken and should be fixed. The BSD uucico fixed this
many years ago.