Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!jarthur!ucivax!orion.oac.uci.edu!ucsd!ames!bionet!agate!agate!rusty From: rusty@belch.Berkeley.EDU (Rusty Wright) Newsgroups: comp.unix.ultrix Subject: su bug in Ultrix 4.1 still there Message-ID: Date: 10 Dec 90 22:44:56 GMT Sender: usenet@agate.berkeley.edu (USENET Administrator) Distribution: comp Organization: University of California Berkeley Lines: 23 I just upgraded my DECstation 5000 to Ultrix 4.1 and the su bug from Ultrix 4.0 is still there. For those of you who missed my tirade when I upgraded to Ultrix 4.0, here's a synopsis of the problem. If your security level is set to ENHANCED you can't use the su command unless the tty line you're on is marked secure in /etc/ttys. On a time sharing system like a DECserver or a large VAX that's not so bad. But on a workstation running windows you'll almost always be on a tty that's a pseudo tty (unless you happen to have a dialin modem connected to your workstation) because of course that's what dxterm, xterm, etc. use. So you might think you could just edit /etc/ttys and add the secure keyword to all of the pseudo tty lines, but that would be a mistake because that would make your system less secure because that allows root logins over the network via rlogin or telnet; i.e., then some cracker could try to guess your root password. When I upgraded to Ultrix 4.0 I called the 800 number and reported this bug to the folks in Atlanta. The person I talked to understood the problem and agreed that it was a problem but there wasn't any patch available. He said the next thing to do was for me to bring it up with my local Field Service, which I did. They didn't understand the problem but they did investigate and their response was "that's the way it's supposed to be."