From owner-freebsd-hackers Fri May 30 09:48:51 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA24689 for hackers-outgoing; Fri, 30 May 1997 09:48:51 -0700 (PDT) Received: from seagull.rtd.com (seagull.rtd.com [198.102.68.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA24684 for ; Fri, 30 May 1997 09:48:49 -0700 (PDT) Received: (from dgy@localhost) by seagull.rtd.com (8.7.5/8.7.3) id JAB07926; Fri, 30 May 1997 09:48:43 -0700 (MST) From: Don Yuniskis Message-Id: <199705301648.JAB07926@seagull.rtd.com> Subject: Re: uucp uid's To: joerg_wunsch@uriah.heep.sax.de Date: Fri, 30 May 1997 09:48:43 -0700 (MST) Cc: hackers@FreeBSD.ORG In-Reply-To: <19970530085744.UT50834@uriah.heep.sax.de> from "J Wunsch" at May 30, 97 08:57:44 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > I don't think there's a burning need why all the uucpers should have > > > the same UID, but i figure it doesn't hurt either. > > > > It's nicer if they have different uid's -- lets you be a bit more > > restrictive of the types of access you grant to each. Also lets > > you see who's doing what... > > I think it's more of a ``It must be better, since my teacher tought > me that each login needs a unque UID.'' argument. Why not put all shell users under one login? :> > UUCP tracks activities by system name anyway. You can even get away > with a single login name for all peers, but they gotta share the same > password then (which is undesirable). These accounts are only > supposed to run /usr/libexec/uucp/uucico, so the ``who's doing what'' > argument is also a moot point. UUCP access restrictions are also > placed per system, not per account. A system can freely masquerade as any other -- including systems that you *don't* want to give access to (i.e. your single account's password has been compromised intententionally/unintentionally). Especially when the other system may be a DOS box running UUPC, etc. :> "Who's doing what" is intended to deal with "who's flooding me with mail" or "where's this spam originating". With a single account, you have to explicitly trust *all* of those users *and* anyone else who's snuck in with them. When you want to disallow access to a particular system, you have to change the password used by *all* systems and inform the systems that can continue to access of this change, etc. If each UUCP dialup account has a unique login and that is compromised, you can tell exactly where the problem originated, can disable that *single* account (vs. *all* of them) without affecting service to other accounts and can go in search of how the problem originated in the first place. > The only argument that made sense so far was somebody who wanted to > run process accounting for them. UUCP itself is a dinosaur. Yet, I see several places that use UUCP as their sole connection to the electronic world. Kinda tough to force a client/customer to do things *your* way when *he's* paying the bills! :> --don