Path: utzoo!utgpu!attcan!uunet!lll-winken!ames!ncar!boulder!sunybcs!rutgers!att!whuts!homxb!genesis!andys From: andys@genesis.ATT.COM (a.b.sherman) Newsgroups: news.admin Subject: Re: Is uunet a security hole? Summary: Sys V HDB doesn't display passwords Keywords: uucp logins security Message-ID: <510@genesis.ATT.COM> Date: 6 Jan 89 15:37:11 GMT References: <10420@rpp386.Dallas.TX.US> <44465@beno.seismo.CSS.GOV> <300@ssbn.WLK.COM> <44466@beno.seismo.CSS.GOV> Reply-To: andys@shlepper.ATT.COM (a.b.sherman) Organization: AT&T Bell Laboratories, Middletown, N.J. Lines: 30 In article <44466@beno.seismo.CSS.GOV> rick@seismo.CSS.GOV (Rick Adams) writes: >> I set up a separate group that is exclusively for uucp neighbors and my >> own local user account. I then removed "other" execute permissions from >> uucico and Uutry and "other" write permissions from almost everything. >> This keeps a mischievious local user (I'm not aware of any) from running >> a uucico by hand and watching the phone number and login information from >> being displayed or doing it with Uutry and having it saved to a file! >> Putting my local account in that group lets me work with the Systems, etc. >> files without having to su. > >If uutry allows people without normal read access (i.e. use the access >system call on the System file) to run uucico with debugging, then it >is badly broken and should be fixed. The BSD uucico fixed this >many years ago. The Basic Networking Utilities (HoneyDanBer UUCP) on System V Release 3 (maybe earlier) does not give out passwords to non-super users. It will display copious debugging information to anybody, but all strings *SENT* are displayed as ?????????? to all but root. If you are so bold as to have no uucp password, anybody can use this to figure out how to get in to your system, since uucico is happy to display anything you echo back (like the login id). If you have a password, there is no security breach. -- andy sherman / at&t bell laboratories (medical diagnostic systems) room 2e-108 / 185 monmouth pkwy / west long branch, nj 07764-1394 (201) 870-7018 / andys@shlepper.ATT.COM ...The views and opinions are my own. Who else would want them?