A quick warning to anyone who isn't keeping track of such things: Many unix systems have a UUCP-related root hole. In particular, any system which runs UUCP-owned binaries as root (which commonly occurs via cron jobs running uustat) is likely to be vulnerable. So far this is known to include OpenBSD 2.8 and FreeBSD 4.3, and lesser problems have been demonstrated on various linuxes (although it is quite possible that root exploits exist for those as well).

The original Bugtraq post is here (http://www.securityfocus.com/archive/1/212892).

The workaround, at least until a proper solution is developed, is to disable UUCP; exact details will vary but

find / -user uucp -type f -exec chmod a-x {} ';'

should work on most systems.

How many people actually use UUCP these days?

It's one of the first things I remove from the system.

Almost nobody uses UUCP any more... but very few people actually remove it. As of about five minutes ago UUCP is being moved into the ports tree of FreeBSD, but until now it has been installed and idle on almost every FreeBSD (and OpenBSD, and linux, and IRIX, and...) system around.

Very few people (unfortunately) go around and remove programs they don't need... and it's a security hole regardless of anybody using it.

Originally posted by cperciva
Almost nobody uses UUCP any more... but very few people actually remove it. As of about five minutes ago UUCP is being moved into the ports tree of FreeBSD, but until now it has been installed and idle on almost every FreeBSD (and OpenBSD, and linux, and IRIX, and...) system around.

Very few people (unfortunately) go around and remove programs they don't need... and it's a security hole regardless of anybody using it.


The install of OpenBSD 2.9 (released last June) does not have the uucp daemon active in inetd.conf.

Originally posted by Mike the newbie
The install of OpenBSD 2.9 (released last June) does not have the uucp daemon active in inetd.conf.

Yes, but every version of OpenBSD until "Sun Sep 9 01:07:31 2001 UTC" runs uustat from /etc/daily each night. A local user can replace uustat with a trojan, giving himself root access the next night.

Originally posted by cperciva


Yes, but every version of OpenBSD until "Sun Sep 9 01:07:31 2001 UTC" runs uustat from /etc/daily each night. A local user can replace uustat with a trojan, giving himself root access the next night.


Ahhhh.. good point, thanks.