Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!pyrnj!hhb!istvan From: istvan@hhb.UUCP (Istvan Mohos) Newsgroups: comp.unix.internals Subject: Re: becoming root via NFS Message-ID: <638@hhb.UUCP> Date: 20 Dec 90 13:52:06 GMT Organization: HHB Systems, Mawah, NJ Lines: 59 I've re-read "UNIX System Security" (by Wood and Kochan) recently and jotted down a list of over 50 security risks, all the while trying to banish the song "Fifty Ways To Leave Your Lover" recurring in my mind. The recommended security procedures for avoiding the risks on my list run the gamut, from the obvious and easily adhered-to, to the ridiculous and unenforcible. Although any one of the pitfalls described by Wood and Kochan will deliver the system to an adversary, lock, stock and barrel, the sum of the risks represented by the book, pales in comparison with the "Anyone Can Be Root" model which links workstations to a central server through NFS. Even if you discount Tom Christiansen's innovative "Real Programmers' Setuid" algorithm, allowing absolutely everyone to "su" to all other users and in doing so access gigabytes of data, is a kiss of death to security, an iceberg that will sink the Titanic. (Fume aside: Meanwhile, dear posters to sci.crypt - you all know who you are: with your psyche bonded to DES as surely as Citizen Kane's was to ROSEBUD, and disbelieving in a "life after DES" - you go on being impervious to that an intruder doesn't need to pick locks and crack passwords when the doors and windows to the system are already ajar.) Becoming root on the NFS network is a highly overrated prize, only interesting from a technical point, a "UNIX internals" achievement. I suppose this explains the present thread in this newsgroup. On the other hand, at any firm with ongoing major software development, the data distributed among the users embodies the true assets of the company, and is more {valuable,sensitive,irreplaceable,vulnerable} by far, than surrepetitious access or damage to kernel data structures. So forget about trojans, viruses, worms, suids and passwords - be pragmatic, assume the worst, and learn to live in a compromised and hostile computing environment. The two horns of the peril to your software are vandalism and theft. Although you can not prevent vandalism, losses due to corruption can be minimized by backing up *everything* (and forever accummulating your tapes in a fireproof, floodproof, earthquakeproof, etc. vault, under lock and key :-) To prevent theft, encrypt your data. Crypt(1) will get broken, so use other programs instead. I would offer to post the source to my "mix" scrambler, but friends on sci.crypt advise that exporting encryption software out of the US is possibly illegal. If true, as outrageous and against our ideals of free speech as such a restriction would be, I still wouldn't wish the bounty of my country's ayatollahs on my head: I will e-mail "mix" only to your US address - no retry on bouncing. Here is a practical tip that may pay dividends: keep a *key library* (both the source and the object) of your software entirely off-line, and only load it, single-user mode, when you need to link with it. -- Istvan Mohos ...uunet!pyrdc!pyrnj!hhb!istvan 1000 Wyckoff Ave. Mahwah NJ 07430 201-848-8000 ======================================================