Xref: utzoo comp.unix.internals:847 comp.unix.sysv386:1561
Path: utzoo!attcan!uunet!samsung!dali.cs.montana.edu!uakari.primate.wisc.edu!zaphod.mps.ohio-state.edu!wuarchive!mit-eddie!bloom-beacon!eru!hagbard!sunic!mcsun!ukc!stl!robobar!ronald
From: ronald@robobar.co.uk (Ronald S H Khoo)
Newsgroups: comp.unix.internals,comp.unix.sysv386
Subject: Re: Bad login user id(sco-unix)
Message-ID: <1990Oct26.092606.7374@robobar.co.uk>
Date: 26 Oct 90 09:26:06 GMT
References: <18633@rpp386.cactus.org> <1646@mitisft.Convergent.COM>
Followup-To: comp.unix.sysv386
Organization: Robobar Ltd., Perivale, Middx., ENGLAND.
Lines: 46

[ did this thread ever have anything to do with internals ?  back to sysv386
  now, anyway ... ]

halpin@mitisft.Convergent.COM (pri=20 Chris Halpin) writes:

> The luid is an additional uid associated w/every process that is set at 
> login time and CAN NEVER be changed 

Wrong.  Eamon McManus posted a version of su(1) that *did* change the
luid -- by scribbling in /dev/kmem.  It should be possible to merge
Eamon's code into John's login too.

> It is used by the audit trail to allow tracking of 
> changes in identity.

Do you know anyone who has enough disc space to enable auditing ? (1/2 :-)

> exec(2)ing login will result in an attempt
> to setluid(2) that fails since the luid is already set.

Which is extremely inconvenient since it causes ct(1) to fail.  A good
reason to switch login(1)s.

> creates problems with cron (you need to shutdown to restart cron since it
> needs to be run w/no luid set so that is may run its jobs as any user it 
> chooses).

How can you restart cron ?  Only from init(8), since any shell you
get from login(1) will have luid set.... unless you use Eamon's hack
or if you modify login(1) to notice a special login and give it
a shell without setting the luid.

> login(1) was extensively 
> modified to accomodate the requirements of C2.

Those of us interested in John F Haugh III's login suite are attempting
to subvert the C2 intentions of SCO Unix.  The idea is that there
should be a "kit" to disable as many of the security features as possible
to be installed *after* the OS has already been installed -- someone said
that it must come up in C2 in the beginning, so such a kit would have
to be installed afterwards.  Such a kit should also be shipped by SCO,
but until they do so, we do what we can with source provided by kind
netters :-)

-- 
ronald@robobar.co.uk +44 81 991 1142 (O) +44 71 229 7741 (H)