Thu, 30 Jun 2005, by chadley@pinteq.co.za:
Greetings,
Friends, I am in a situation with my one clients who use - (Yes that one again!!), uucp.
Now their previous techies set all the user id's for the system to 0 (zero) Oh! and all the GID's as well. Now I have come in and had to fix this, but I get resistance.
[..]
I need more reasons, explaining how this affects the system integrity, and functionality, the trick here is they don't give two hoots about the security aspect. So to win my case professionally and cleverly, I ask for real opinions and reasons.
Any exploit of this uucp system would give an attacker full access to that system. Because uucp is hardly being used anymore there aren't a lot of people looking at the source anymore, at least not a lot of white-hats. Tell your organisation that security isn't just about inconvenience of having to rebuild a system after it's been rooted, it's also about ending up in firewall IP lists, RBLs, maybe seeing you name spread over the Internet as having a kiddy-porn FTP server etc. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply.