S 5.35 Use of UUCP security mechanisms

Initiation responsibility: IT Security Management, Administrators

Implementation responsibility: Administrators

The UUCP (Unix-to-Unix Copy) programme package is present as a standard feature in Unix systems and is also available for other operating systems allowing the exchange of data between IT systems as well as the invocation of commands on remote IT systems. The only prerequisite for this is the compatibility of the uucio programmes on the two systems involved. UUCP is extremely widespread, although it has decreased in significance, e.g. due to the capability to connect computer via ISDN by means of TCP/IP.

As a rule, UUCP is used to exchange Email and news between computers. It also allows log-in (cu) and execution of programmes (uux) on remote computers.

Different UUCP versions exist: In addition to the implementation by Peter Honeyman, David Nowitz and Brian E. Redman from 1983 (HoneyDanBer UUCP), frequent use is made of the original UUCP system from the AT&T Unix Version 7, whose second variant is currently available (and called Version 2 UUCP) or the Tahoe UUCP (delivered with BSD 4.3).

The UUCP variant being employed can be identified through the files in the /usr/lib/uucp directory (/etc/uucp on some systems): Version 2 UUCP contains the file L.sys, HoneyDanBer contains the file Systems.

Version 2 UUCP poses major security problems (errors in uucico, risk of incorrect configuration due to the complexity of the security-related administration files). For this reason, the HoneyDanBer UUCP should be used instead.

The following security aspects should generally be considered when UUCP is used:

• The administration of UUCP requires intensive treatment of the configuration possibilities and the related files. Note that differences might exist between the UUCP packages of the various Unix derivatives, even if these are all based on the HoneyDanBer UUCP.

• The same requirements apply to the administration of UUCP files, programmes and directories as to the administration of system files and directories (cf. S 2.25 Documentation on the system configuration, S 2.31 Documentation of authorised users and authorisation parameters, S 4.19 Restrictive allocation of attributes for Unix system files and directories).

• A user named uucp exists on most systems. The UUCP files, programmes and directories belong to this user. It must be ensured that this account has a password in accordance with the specifications in measure S 2.11 Provisions governing the use of passwords.

The home directory of the uucp user must not be the public directory/usr/spool/uucppublic, but a personal one accessible only by this user.

• For every IT system which needs to log into the local IT system via UUCP, a separate user ID and password must be entered in/etc/passwd. The uucp user's UID must not be selected for this; instead, each remote IT system must have its own, individual UID.

• UUCP passwords are transferred in the uncoded form during communication requests, and stored uncoded in the corresponding UUCP configuration file for requests to remote computers. Depending on the application and environment (particularly in the case of long-distance networks), appropriate safeguards must be taken, e.g. use of one-time passwords.

Various configuration files must be set up to allow the use of UUCP. All settings must be documented, and deviations from the settings recommended in the following must be explained to allow an understanding of these modifications at a later stage.

The following files must be administered very carefully as they contain critical information for security. The files are located in the /usr/lib/uucp and /etc/uucp directories. Only the uucp user must have write access to these directories.

• Systems: This file contains information required for establishing connections with remote IT systems. The time periods over which UUCP transmission is allowed can be specified here for every IT system. These time periods must be as short as possible. This file also contains the telephone numbers and log-in sequences for the IT systems with which UUCP connections can be established. Only the uucp owner must have read access to Systems, as passwords for remote IT systems are also entered here.

• Permissions: Access rights for remote systems are specified here. No IT systems are listed in Permissions on its delivery, i.e. no access is possible via UUCP. For every computer that can call and log-in, and for every computer that can be called, settings must be made to specify the respective access rights and other conditions. The access rights for IT systems called by the local one are specified in the entries listed under MACHINE, and under LOGNAME for the calling IT system. Security can be increased considerably through the use of these configuration possibilities.

The uucheck -v command should be regularly used to check the options set in the Permissions file. These options should be set as follows:

REQUEST

This option should be set to NO (default setting) to prevent remote systems from reading local data.

COMMANDS

On no account should ALL be entered here; only required commands like rnews or rmail should be allowed. The commands should be stated with the full path name.

WRITE/READ

If this option is not specified, write/read access is only possible to the /usr/spool/uucppublic directory.

Directories to which access is allowed by means of this option must be documented together with the reasons for access. On no account should the root directory or the one containing the UUCP configuration files be entered here.

NOWRITE/NOREAD

This specifies exceptions to the WRITE/READ option. Directories containing sensitive information should generally be listed here. This prevents access to such directories by remote IT systems resulting from negligence to impose restrictions if higher-level directories are released with READ/WRITE.

PUBDIR

This can be used to specify a public UUCP directory in place of/usr/spool/uucppublic. For UUCP communication involving several IT systems, a separate UUCP directory must be stated here for each of these systems.

CALLBACK

If CALLBACK is set to YES. the local IT system must call back the calling IT system before data exchange can be commenced. Of course, this is only useful for LOGNAME entries. The communication partners should agree on who is to activate a CALLBACK:

MYNAME

If MYNAME= name is set, the local system identities itself with name instead of the computer designation when a UUCP connection is established with a remote system. This feature should be used for identification with a name which is intended exclusively for this connection and is thus difficult to ascertain.

VALIDATE

If VALIDATE= name is set, only IT systems listed under name can establish a connection via the systems listed under LOGNAME. This option must, on all accounts, contain an entry, otherwise remote IT systems will be capable of masquerading by impersonating another computer name using MYNAME:

SENDFILES

The default setting (SENDFILE=CALL) should be retained here, so that jobs in the local queue are only transferred outside on establishment of a connection by the local IT system.

• The /usr/lib/uucp/remote/.unknown file of the HoneyDanBer UUCP is invoked if an unknown IT system - i.e. one not entered in the Systems file - attempts to establish a connection. Such attempts are repudiated and logged. If remote.unknown cannot be executed, the local IT system grants all requests for connection by remote IT systems. It must therefore be ensured that remote.unknown can always be executed. Depending on the Unix system being used, remote.unknown exists in the form of an executable shell script or a C programme. If remote.unknown exists as a shell script on the local IT system, it should be replaced by a programme for security reasons. If this is not done, there is a danger of a calling IT system entering a command like "cat/li>

• For UUCP, several cleanup shell scripts are available which can be executed automatically by means of crontab daemon. This must not be initiated by root, as is the case for many systems, but by the uucp user.

When UUCP is used, various protocol files are created. In the case of HoneyDanBer UUCP, these files are located in subdirectories of/usr/spool. Successful and invalid requests for connection, transmitted and received quantities of data, error messages and data transfer statistics are listed here. These protocol files must be evaluated regularly (cf. S 4.25 Use of logging in the Unix system).

Additional controls:

• Has the administrator been trained to use UUCP?

• Are manuals on UUCP available?

• Which UUCP variants are used?

• Are the settings in the configuration files documented?

• Are the UUCP protocol files evaluated regularly?