Xref: utzoo comp.unix.xenix:4585 comp.mail.uucp:2670
Path: utzoo!attcan!uunet!lll-winken!ncis.llnl.gov!helios.ee.lbl.gov!pasteur!agate!bionet!csd4.milw.wisc.edu!mailrus!purdue!haven!vrdxhq!bms-at!stuart
From: stuart@bms-at.UUCP (Stuart Gathman)
Newsgroups: comp.unix.xenix,comp.mail.uucp
Subject: USERFILE, can this be true?
Keywords: user,machine directory
Message-ID: <151@bms-at.UUCP>
Date: 21 Jan 89 22:20:03 GMT
Organization: Business Management Systems, Inc., Fairfax, VA
Lines: 15

After years of trying to use the userid field in /usr/lib/uucp/USERFILE,
I finally figured out what it is.  It appears to be the userid of
the person initiating the request on the *remote* machine.  

All this time I thought it was the uucp login assigned to the remote
machine.  This seems incredible.  The assumption seems to be that 
all connected machines are trustworthy, and only users need be regarded
with suspicion.  Any machine with any uucp password can masquerade as
any other machine.

Is this true?  Is there any thing that can be done?  (Other than
get HDB.)  Is there any way to restrict a particular uucp login?
-- 
Stuart D. Gathman	<stuart@bms-at.uucp>
			<..!{vrdxhq|daitc}!bms-at!stuart>