Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!usc!samsung!umich!terminator!pisa.ifs.umich.edu!rees
From: rees@pisa.ifs.umich.edu (Jim Rees)
Newsgroups: comp.sys.apollo
Subject: Re: Security with rc files
Message-ID: <4f200850.1bc5b@pisa.ifs.umich.edu>
Date: 10 Jan 91 17:39:30 GMT
References: <9101101046.AA06527@apo.esiee.fr>
Sender: usenet@terminator.cc.umich.edu (usenet news)
Reply-To: rees@citi.umich.edu (Jim Rees)
Organization: University of Michigan IFS Project
Lines: 12

In article <9101101046.AA06527@apo.esiee.fr>, bonnetf@apo.esiee.fr (bonnet-franck) writes:

  4 - The bad thing is that these files are NOT protected after their creation ... 
      Everybody has "pwrx" rights on these files, ouch !                            

This doesn't happen on my sr10.3 node.  The rc files are copied from
/etc/templates using cpio and have the same rights as the templates.  Maybe
it depends on whether you are using netman.bin_sh or netman.com_sh.

A more serious problem is that `node_data is often completely open, allowing
you to rename `node_data/etc and create your own.  /etc/init should refuse
to run /etc/rc if it isn't owned by root.