> The convention was to use ``uucp'' as the default anonymous login
> service.

I think we're talking about two different things. Yes, many
UNIX distributions shipped with a passwordless 'uucp' account
with uucico as the shell. My comments about the 'nuucp'
convention were referring to the publically visible anonymous
UUCP sites.

>  Some people had the mistaken impression that there was some
> sort of "hole" in the uucp system which was caused by using uucp as a
> default login for uucp service.  No such hole existed in modern uucico
> processes, although there were bugs in early uucico (7th Edition
> vintage) which may be the reason that these rumors started.

I think much of this was related to the System V (R0 and R1)
getty/login environment, where you could pass in arbitrary environment
variables along with the login id. If your machine was poorly
configured this could be used to bypass restricted shell environments.
I can see where uucico shells could get lumped in with the rsh (the
shell, not the network utility) environment bugs.

Early uucico's were definately buggy, however I don't recall these
bugs ever being exploited to compromise security. (Well, you could
do DOS attacks by getting the remote uucico to drop core, leaving
a LCK..site file lying around. SCO's uucico could be made to do
this just by making faces at it.)

> With the HoneyDanBer uucp, there were no
> security holes in uucico and it was completely safe to use uucp as an
> anonymous login service.

I wouldn't be that absolute. No security holes were ever demonstrated,
which isn't the same as saying they weren't there. (Did anyone ever
breach ihnp4?)

> That said, for max security it is always useful to have each site have
> its own login, up to a point.  Some large uucp sites used to use common
> logins simply because there was so little security risk (especially with
> HoneyDanBer variety). 

Unique logins provided fine-grained policy control. If site foo
started doing bad things (deliberately or by accident) you want
to be able to knock it down without taking out other functioning

HDB's ability to require a particular UUCP node to connect only with
a specific login id was a very nice feature. (Or was it Taylor that
introduced that? My memory is getting a wee bit fuzzy.)

> Certainly, anonymous uucp is more secure than
> anonymous ftp.

For the server. The client side of the copy could definately use
some work.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to