Slightly off-topic, but still UUCP related. If a SunOS box NFS exported
/, and I could mount /, even without root NFS access, using the uucp
user, I could overwrite uucico because it was owned by uucp. The entry
in inetd.conf would automatically run uucico as root. Telnet to the box
on that port, and it would happily run whatever I put in the uucico file.
Bad joo-joo.
On 10/8/2019 2:38 PM, Norman Wilson wrote:
Back in the heyday of uucp, some sites were lazy and
allowed
uucico access to any file in the file system (that was accessible
to the uucp user). A common ploy for white hats and black hats
was to try
uucp remotesys!/etc/passwd ~/remotesys
or the like, and see what came in and whether it had any easy
hashes (shadow password files didn't quite exist yet).
The system known to the uucp world as research! was more
careful: / was mapped to /usr/spool/uucp. We left a phony
etc/passwd file there, containing plausible-looking entries
with hashes that, if cracked, spelled out
why
are
you
wasting
your
time
I don't remember whether anyone ever stole it by uucp, though
I think Bill Cheswick used it to set up the phony system
environment for Berferd to play in (Google for `cheswick berferd'
if you don't know the story).
Norman Wilson
Toronto ON