Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!think.com!mintaka!bloom-beacon!eru!hagbard!sunic!mcsun!ukc!mucs!cns!umaida!rn From: rn@ap.co.umist.ac.uk (bob nutter) Newsgroups: comp.sys.apollo Subject: Re: Registries and security (a real doody!) Message-ID: <1990Nov1.105243@ap.co.umist.ac.uk> Date: 1 Nov 90 10:52:43 GMT References: <9010291025.AA01144@apo.esiee.fr> <4dbb5bb7.20b6d@apollo.HP.COM> Sender: usenet@cns.umist.ac.uk (News System) Reply-To: rn@ap.co.umist.ac.uk (bob nutter) Organization: UMIST Computation, Manchester, UK. Lines: 28 In article <4dbb5bb7.20b6d@apollo.HP.COM>, pato@apollo.HP.COM (Joe Pato) writes: [Frank Bonnet's stuff deleted...] |> |> Your problem must have been that you neglected to set the owner field on |> the "root" person. (By default the rgy_create tool creates all entries |> owned by %.%.%.) New objects created by edrgy inherit the ownership |> information |> that is attached to the particular naming domain. |> |> Given that the root person was owned by %.%.%, then you are right - anyone can |> create new root.... accounts. Once you set the owner on the root person, |> however, only that owner will be able to create new "root" accounts. Yup, only found out about this last week when a friend in our Elec Eng dept was writing a script. Seeing as everyone knows about it now, I would *strongly* recommend you make sure you change the root ownership. Anyone, I repeat *anyone* can type 'passwd root' and change the root passwd with it otherwise. passwd makes no check that the user id is 0, but relies on the registry for security checks. Apollo UK are reported to have had to fix this on *their* machines! I leave you to draw your own conclusions about this... ------------------------------------------------------------------------------- bob nutter, computer officer | "Every year we destroy an area of rain UMIST dept of computation | forest the size of Belgium. Why not just po box 88 manchester m60 1qd uk | destroy Belgium?" tel:+44 61 200 3386 | -Canned Carrott email:b.nutter@umist.ac.uk |