Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!ccu.umanitoba.ca!herald.usask.ca!alberta!ubc-cs!uw-beaver!mit-eddie!wuarchive!cs.utexas.edu!uunet!stephsf!wengland
From: wengland@stephsf.stephsf.com (Bill England)
Newsgroups: comp.unix.sysv386
Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386
Keywords: BAD BUG
Message-ID: <491@stephsf.stephsf.com>
Date: 14 Feb 91 23:41:32 GMT
References: <483@stephsf.stephsf.com> <6913@rsiatl.Dixie.Com> <1854@chinacat.Unicom.COM>
Organization: Stephen Software Systems, Inc., Tacoma WA
Lines: 22

In article <1854@chinacat.Unicom.COM> chip@chinacat.Unicom.COM (Chip Rosenthal) writes:
>
[...]
>fixing logfile permissions.  If UNIX is broken, no amount of C2 cruft is
>going to fix it.


   True.  Presumeably when you purchase the rights to use SecureWare's
   tools they give you a _test_suite_ of ice-breaking software that tests 
   for security bugs on your system.  It would be bad advertising indeed
   to certify a system C2 and then have this bug unvieled.  :-)

   As for the Uucp I believe that having strict C2 requires NOT using
   UUCP and disallowing ftp.  I'm not sure if TCP/IP would be 
   considered a C2 security violation and even running an xterm may
   be a problem.

-- 
 +-  Bill England,  wengland@stephsf.COM -----------------------------------+
 |   * *      H -> He +24Mev                                                |
 |  * * * ... Oooo, we're having so much fun making itty bitty suns *       |
 |__ * * ___________________________________________________________________|