Date: Fri, 30 May 1997 09:48:43 -0700 (MST) From: Don Yuniskis <dgy@rtd.com> To: joerg_wunsch@uriah.heep.sax.de Cc: hackers@FreeBSD.ORG Subject: Re: uucp uid's Message-ID: <199705301648.JAB07926@seagull.rtd.com> In-Reply-To: <19970530085744.UT50834@uriah.heep.sax.de> from "J Wunsch" at May 30, 97 08:57:44 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > I don't think there's a burning need why all the uucpers should have > > > the same UID, but i figure it doesn't hurt either. > > > > It's nicer if they have different uid's -- lets you be a bit more > > restrictive of the types of access you grant to each. Also lets > > you see who's doing what... > > I think it's more of a ``It must be better, since my teacher tought > me that each login needs a unque UID.'' argument. Why not put all shell users under one login? :> > UUCP tracks activities by system name anyway. You can even get away > with a single login name for all peers, but they gotta share the same > password then (which is undesirable). These accounts are only > supposed to run /usr/libexec/uucp/uucico, so the ``who's doing what'' > argument is also a moot point. UUCP access restrictions are also > placed per system, not per account. A system can freely masquerade as any other -- including systems that you *don't* want to give access to (i.e. your single account's password has been compromised intententionally/unintentionally). Especially when the other system may be a DOS box running UUPC, etc. :> "Who's doing what" is intended to deal with "who's flooding me with mail" or "where's this spam originating". With a single account, you have to explicitly trust *all* of those users *and* anyone else who's snuck in with them. When you want to disallow access to a particular system, you have to change the password used by *all* systems and inform the systems that can continue to access of this change, etc. If each UUCP dialup account has a unique login and that is compromised, you can tell exactly where the problem originated, can disable that *single* account (vs. *all* of them) without affecting service to other accounts and can go in search of how the problem originated in the first place. > The only argument that made sense so far was somebody who wanted to > run process accounting for them. UUCP itself is a dinosaur. Yet, I see several places that use UUCP as their sole connection to the electronic world. Kinda tough to force a client/customer to do things *your* way when *he's* paying the bills! :> --don
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705301648.JAB07926>