Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What to do about forgeries?

1 view
Skip to first unread message

Jeff Davis

unread,
Nov 11, 1992, 10:32:40 AM11/11/92
to
We have always run a system based upon trust: a single login,
nuucp, for all of our nodes. Everyone has always behaved and
no one has pretended to be another node to scarf up another
node's mail. Now, we find that we are in need of more security
but simply adding more logins doesn't appear to change anything:
someone logging in under, say, xuucp still has access to the
entire scope of the mail system. Obviously, we don't know
squat since this seems to be a fairly elemental question, but
how can we prevent a node from pretending to be another node?
Or gaining access to mail it shouldn't get? Is it just a question
of an after-the-fact check of xferstats? That doesn't really
appear to be quite adequate.

--
Jeff Davis <da...@keats.ca.uky.edu>

Ian Lance Taylor

unread,
Nov 11, 1992, 8:55:31 PM11/11/92
to
fe...@ms.uky.edu (Jeff Davis) writes:

I'm going to assume that you are using HDB UUCP, since you mentioned
the xferstats file.

You need to set up your Permissions file. The semantics are somewhat
confusing (at least to me). The simple way to do it is for each
system that calls in, put a line in Permissions that looks like this:

MACHINE=sys LOGNAME=Usys VALIDATE=sys

You can then give READ, WRITE, etc. commands if you wish, although the
defaults are probably fine. See the man page on Permissions for what
you can specify.

Use a different LOGNAME for each system. Enter each LOGNAME in
/etc/passwd with the same uid as nuucp and with a different password
for each one. Tell the people who call you to start using the new
login name and password, since nuucp will no longer work.

Then the data routed for each system is secure (from other remote
systems, not necessarily from local users) so long as nobody else
finds out their password.
--
Ian Taylor | i...@airs.com | First to identify quote wins free e-mail message:
``Things are either isolated units, or they form one inseparable whole. If
that whole be God, then all is well; but if aimless chance, at least you
need not be aimless also.''

Leslie Mikesell

unread,
Nov 12, 1992, 12:15:32 PM11/12/92
to
In article <58...@airs.com> i...@airs.com (Ian Lance Taylor) writes:
>Use a different LOGNAME for each system. Enter each LOGNAME in
>/etc/passwd with the same uid as nuucp and with a different password
>for each one. Tell the people who call you to start using the new
>login name and password, since nuucp will no longer work.

I like to give them different uids as well. Then "who", "ps", "uustat -p",
"uustat -a", "last", etc. will all show you meaningful names instead of the
first match in the passwd file. Since uucico runs suid, it doesn't matter
that the real uid is different.

Les Mikesell
l...@chinet.chi.il.us

0 new messages