Path: utzoo!attcan!uunet!mcvax!unido!nixpbe!mboen From: mboen@nixpbe.UUCP (Martin Boening) Newsgroups: comp.mail.uucp Subject: Uucp Security Keywords: I/O Redirection Message-ID: <140@nixpbe.UUCP> Date: 1 Dec 88 13:00:27 GMT Organization: Nixdorf Computer AG, Paderborn, Germany Lines: 30 Recently I had a problem with two suns connected via direct link using uucp. Any kind of I/O-Redirection didn't work. Things like uux - "remotesys!command" < inputfile resulted in XQT DENIED on the remote system as did things like uux "remotesys!command < !inputfile" (L.cmds allowed the command and it worked fine if no redirection occured anywhere in the uux- command. When I called at Sun and asked about this, I was told, that for security reasons I/O-Redirection had been eliminated from the uucp supplied by Sun. I couldn't get a more specific description from them. My question now is, why does stuffing the standard input for uux into the standard input of the invoked remote command pose a security problem ? Why, indeed, does any redirection of standard input for the remote command to a file on the local (invoking) system pose a risk ? (Especially since execution of a shell is not allowed by L.cmds) Any helpful hints are appreciated, as we are doing some work on security at the moment. (flames, however, will be copied to /dev/null) Thanks a lot Martin: Email: mboen@nixpbe.UUCP