kai@uicsrd.csrd.uiuc.edu (12/15/88)
There is a serious security hole in the 4.3 bsd /usr/bin/uuq program that allows everyone to delete anyone's UUCP jobs. The manpage says that only the UUCP administrator is permitted to delete UUCP jobs, but experiments have proven the documentation is incorrect. It would be preferable if any user were allowed to delete their own UUCP jobs, but not one belonging to any other user. Root and UUCP should be able to delete any UUCP job. Thanks Patrick Wolfe (pat@kai.com, kailand!pat, kai@uicsrd.csrd.uiuc.edu) System Manager, Kuck and Associates, Inc.
rick@seismo.CSS.GOV (Rick Adams) (12/18/88)
fixed in 4.3-tahoe
dhesi@bsu-cs.UUCP (Rahul Dhesi) (12/19/88)
In article <43800007@uicsrd.csrd.uiuc.edu> kai@uicsrd.csrd.uiuc.edu writes:
There is a serious security hole in the 4.3 bsd /usr/bin/uuq
program that allows everyone to delete anyone's UUCP jobs.
I recommend the following:
# chown uucp.daemon uuq
# chmod 101 uuq; chmod g+s uuq
This makes uuq set-gid to daemon. Then make sure all your uucp jobs
are in files that are readable by daemon but not writable by it.
--
Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee}!bsu-cs!dhesi