IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.35 Use of UUCP security mechanisms
Initiation responsibility: IT Security Management, Administrators
Implementation responsibility: Administrators
The UUCP (UNIX-to-UNIX Copy) programme package is present as a
standard feature in UNIX systems and is also available for other operating
systems allowing the exchange of data between IT systems as well as the
invocation of commands on remote IT systems. The only prerequisite for this
is the compatibility of the uucio programmes on the two systems involved.
UUCP is extremely widespread, although it has decreased in significance, e.g.
due to the capability to connect computer via ISDN by means of TCP/IP.
As a rule, UUCP is used to exchange Email and news between computers. It
also allows log-in (cu) and execution of programmes (uux) on remote
computers.
Different UUCP versions exist: In addition to the implementation by Peter
Honeyman, David Nowitz and Brian E. Redman from 1983 (HoneyDanBer
UUCP), frequent use is made of the original UUCP system from the AT&T
UNIX Version 7, whose second variant is currently available (and called
Version 2 UUCP) or the Tahoe UUCP (delivered with BSD 4.3).
The UUCP variant being employed can be identified through the files in the
/usr/lib/uucp directory (/etc/uucp on some systems): Version 2 UUCP contains
the file L.sys, HoneyDanBer contains the file Systems.
Version 2 UUCP poses major security problems (errors in uucico, risk of
incorrect configuration due to the complexity of the security-related
administration files). For this reason, the HoneyDanBer UUCP should be used
instead.
The following security aspects should generally be considered when UUCP is
used:
- The administration of UUCP requires intensive treatment of the
configuration possibilities and the related files. Note that differences might
exist between the UUCP packages of the various UNIX derivatives, even if
these are all based on the HoneyDanBer UUCP.
- The same requirements apply to the administration of UUCP files,
programmes and directories as to the administration of system files and
directories (cf. S 2.25 Documentation on the system configuration, S 2.31
Documentation of authorised users and authorisation parameters, S 4.19
Restrictive allocation of attributes for UNIX system files and directories).
- A user named uucp exists on most systems. The UUCP files, programmes
and directories belong to this user. It must be ensured that this account has
a password in accordance with the specifications in measure S 2.11
Provisions governing the use of passwords.
The home directory of the uucp user must not be the public directory
/usr/spool/uucppublic, but a personal one accessible only by this user.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000