Path: utzoo!attcan!uunet!know!zaphod.mps.ohio-state.edu!usc!apple!netcom!jbreeden
From: jbreeden@netcom.UUCP (John Breeden)
Newsgroups: comp.sys.att
Subject: Re: StarGROUP DOS Server insecurities.
Message-ID: <15635@netcom.UUCP>
Date: 27 Oct 90 01:18:30 GMT
References: <40913@cc.usu.edu>
Organization: Netcom- The Bay Area's Public Access Unix System {408 241-9760 guest}
Lines: 30

In article <40913@cc.usu.edu> JRD@cc.usu.edu (Joe Doupnik) writes:
>
>	Has anyone commented on the ability of an ordinary DOS client to
>execute the StarGROUP DOS Server command SRV and stop the entire server?
>	I pulled the plug on mapping the attutil logical name across the
>network where this ability is sitting right in the open as SRV.EXE. The
>trick is to edit the file RULES.LST and remove the last line invoking
>server file NETSTART.BAT. But this was not quite enough because a user
>can use Kermit to log into the Unix server and do exactly the same bad
>things via FACE.
>	Overall this seems to be a cavernous security hole.
>	Joe D.

Yes, I'd say that leaving out passwords on a Unix system is a bit of a
security hole (-:

You have an old release of StarGroup. It no longer even uses the same
application layer that you are now using (nor support for DOS servers -
another big security hole in itself).

StarGROUP is up to release 3.4 - it's Lan Manager/X over either ISO,
Netbeui and one more unannounced transport layer - and three different
layers of security.
-- 
 John Robert Breeden, 
 netcom!jbreeden@apple.com, apple!netcom!jbreeden, ATTMAIL:!jbreeden
 -------------------------------------------------------------------
 "The nice thing about standards is that you have so many to choose 
  from. If you don't like any of them, you just wait for next year's 
  model."