Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!unmvax!ariel.unm.edu!triton.unm.edu!collins From: collins@triton.unm.edu (Bill Collins CIRT) Newsgroups: comp.unix.ultrix Subject: Re: su bug in Ultrix 4.1 still there Summary: Bug for feature Message-ID: <1990Dec11.020057.24872@ariel.unm.edu> Date: 11 Dec 90 02:00:57 GMT References: Sender: news@ariel.unm.edu (USENET News System) Distribution: comp Organization: University of New Mexico, Albuquerque NM Lines: 47 In article rusty@belch.Berkeley.EDU (Rusty Wright) writes: >I just upgraded my DECstation 5000 to Ultrix 4.1 and the su bug from >Ultrix 4.0 is still there. For those of you who missed my tirade when >I upgraded to Ultrix 4.0, here's a synopsis of the problem. I haven't. I have noticed the "bug." >If your security level is set to ENHANCED you can't use the su command >unless the tty line you're on is marked secure in /etc/ttys. > ... >add the secure keyword to all of the pseudo tty lines, but that would >be a mistake because that would make your system less secure because >that allows root logins over the network via rlogin or telnet; i.e., >then some cracker could try to guess your root password. Repeated login failures are recorded. Guessing from outside would(should) be noticed, especially in ENHANCED mode. > They didn't understand >the problem but they did investigate and their response was "that's >the way it's supposed to be." I supposed it may be argued either way. Adding "secure" after a device could mean that root access is allowed, how Digital seems to understand it. Or adding "secure" means that initial root access(eg, rlogin, telnet.) The former suggestion is that a device, any device, is considered safe and "secure"(ie, allowed root access) or it isn't. "Root" access is the same here, regardless of the method(eg, su(1), telnet(1), rlogin(1).) The latter suggests that if a user has an account, legitimate or otherwise, and accesess to su(1), then the device which he/she is on is secured by the fact the user has an account. This may not always be true. The avenue does provide some additional tracking, by chance, as the account which uses su(1) is given. Perhaps the questions may be posed in this fashon, "is the 'network' secure?" To what extent to you mean to secure root access? After all, you can write your own su program if you wish, it's not hard. 4.x ENHANCED behavior doesn't seem to hard to accept, or work around. Bug? perhaps not. Just a different understanding. Bill collins@triton.unm.edu p.s. beware of the 5th column! -- Internet: collins@ariel.unm.edu BITnet: collins@unmb.bitnet