From owner-freebsd-security Wed Jul 30 14:01:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA03267 for security-outgoing; Wed, 30 Jul 1997 14:01:05 -0700 (PDT) Received: from tok.qiv.com ([204.214.141.211]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA03259 for ; Wed, 30 Jul 1997 14:01:02 -0700 (PDT) Received: (from uucp@localhost) by tok.qiv.com (8.8.6/8.8.5) with UUCP id QAA01312; Wed, 30 Jul 1997 16:00:43 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.6/8.8.5) with SMTP id PAA01063; Wed, 30 Jul 1997 15:52:39 -0500 (CDT) X-Authentication-Warning: acp.qiv.com: jdn owned process doing -bs Date: Wed, 30 Jul 1997 15:52:38 -0500 (CDT) From: "Jay D. Nelson" To: James Seng cc: security@FreeBSD.ORG Subject: Keep UUCP (Was: Re: security hole in FreeBSD) In-Reply-To: <3.0.32.19970730223202.0070ef8c@student.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Sometimes I think we can be too "internet-centric" for our own good. UUCP makes good security and economic sense. An ISP that caters to internet aficionados will have no use for UUCP. But commercial customers are showing interest because a) UUCP isolates them from the internet, providing greater security while keeping employees from `surfing', b) costs far less than the typical dedicated connection. PSInet charges $50/Mo. + $145.00 setup, I believe, and c) many of our foreign friends have no other reasonable way go. >From the ISP's perspective, a UUCP account ties up far less resources than the dedicated or ppp account. As an example, last month I transfered 12.14 Megs with a total connect time of 1.66 hours (28.8). If I had an out-of-state long distance peer, I would have spent less than $14.00 in long distance charges. In other words, my commercial client could have one UUCP connection to a provider and serve mail to seven out-of-state offices for less than the typical dedicated 64K ISDN account. So that is my case. I understand the desire to reduce distribution size and eliminate unused suid binaries -- but to take UUCP out seems to me equivalent to getting rid of the C compiler and development tools. Make it an install option if you want, but leave it as a part of the standard distribution. -- Jay On Wed, 30 Jul 1997, James Seng wrote: ->At 09:06 PM 7/29/97 -0400, Adam Shostack wrote: ->> Let me be clear; I don't have anything against UUCP users, but ->>most people don't need it turned on. Since its parts of it are ->>setuid, (and thus potential security holes) I think its a reasonable ->>to suggest that it ship either not setuid or as an install option. -> ->I have not heard of any request for the use UUCP from my users nor is my ->UUCP binaries been used in the last few years...I think the time when lease ->line is expensive, when university work with 9,600bps (wow) connection and ->when UUCP rules the earth is over...we have to let it go and look forward. *8) -> ->I have nothing against UUCP of cos but it is always nice if we can reduce ->the base distribution size by letting some of the less often used stuff away. -> ->*cheers* -> ->-James Seng ->