Path: utzoo!attcan!uunet!crdgw1!rpi!zaphod.mps.ohio-state.edu!wuarchive!swbatl!texbell!moxie!texsun!csccat!camdev!mmuegel
From: mmuegel@camdev.comm.mot.com	 (Mike "Happy" Muegel)
Newsgroups: comp.sys.apollo
Subject: Re: Registry problems AGAIN
Keywords: registry security
Message-ID: <302@camdev.comm.mot.com?>
Date: 28 Oct 90 19:06:26 GMT
Reply-To: mmuegel@mot.com (Mike "Happy" Muegel)
Organization: Motorola Inc., Ft. Worth, Tx
Lines: 37

In article <1990Oct26.173919.15324@alchemy.chem.utoronto.ca> Mike Peterson
writes:

> ...        If you are root on any Apollo system, you can destroy
> anything you like on any Apollo system reachable by NCS (try 'rm -r //* &'
> from a UNIX shell, wait a while, and see what's left), so I see no
> point in protecting certain registry operations from remote root access
> when the remote root could just delete the entire operating system
> including the /sys/registry tree which edrgy is trying to protect
> right out from under you.

Under SR10+ you can protect nodes from remote root access via the 
'/etc/lprotect' command. By using it, you can make it so that remote roots 
(those not logged onto the node remotely or locally) can have read-only access 
to objects or no access at all.

If you then modify the /etc/rgy/passwd_overide file you can extablish 
different paswords for a given account (such as a root account). Thus, you
will have limited root login privlidges to this node to those roots that you 
wish to have access. You have to do this also since someone could just
crp/rlogin onto the secure node as joe-user then still do an su root-whatever.

We were going to use this at our site to secure some super-secret stuff but
eventually decided against it because it made remote-software installation
a pain.

-Mike

-- 
+-----------------------------------------------------------------------------+
| Mike Muegel                           | Internet: mmuegel@mot.com           |
| Software Tools Engineer               | UUCP:     uunet!motcid!muegel       |
| Fort Worth Research and Design Center | Voice:    (817) 232-6623            |
| Cellular Infrastructure Group         | Fax:      (817) 232-6030            |
| Radio Telephone and Systems Group     | Mail:     5555 North Beach St.      |
| Motorola, Inc.                        |           Fort Worth, TX  76137     |
+-----------------------------------------------------------------------------+