Path: utzoo!utgpu!water!watmath!clyde!rutgers!gatech!ncar!noao!mcdsun!mcdchg!heiby
From: heiby@mcdchg.UUCP (Ron Heiby)
Newsgroups: comp.mail.uucp
Subject: Re: HDB uucp security hole ?
Message-ID: <7049@mcdchg.UUCP>
Date: 8 Apr 88 15:04:00 GMT
References: <4210002@hpirs.HP.COM>
Reply-To: heiby@mcdchg.UUCP (Ron Heiby)
Organization: Motorola Microcomputer, Schaumburg, IL
Lines: 16

Dennis D. Lee (dennis@hpirs.HP.COM) writes:
>   On AT&T System V.2.1 uucp (HoneyDanBer) , the remote system's password is
>   printed when using the -x option with a level higher than 3. 

On the systems I've seen with HoneyDanBer UUCP, there is information
compiled into uucico that specifies the range of uids or gids for
which the phone number and login information is displayed.  I'm
uid=501(heiby) gid=101(mot) on my system, and bunches of "?" are
displayed instead of sensitive information when I invoke uucico.
When I invoke uucico while logged in as "root", I get to see everything.
If your implementation does not do this, then it should be fixed
by your vendor.
-- 
Ron Heiby, heiby@mcdchg.UUCP	Moderator: comp.newprod & comp.unix
"I believe in the Tooth Fairy."  "I believe in Santa Claus."
	"I believe in the future of the Space Program."