Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!spool.mu.edu!uunet!mcsun!hp4nl!let.rug.nl!ton
From: ton@let.rug.nl (Ton Roovers)
Newsgroups: comp.sys.hp
Subject: Security hole in HP-UX
Keywords: security HP-UX login
Message-ID: <1581@gufalet.let.rug.nl>
Date: 20 Feb 91 13:57:33 GMT
Organization: Faculty of Arts, Groningen University, The Netherlands
Lines: 39


Some months ago I converted our HP-UX 7.0 systems to 'secure systems'.
Only last week one of 'my' users discovered (by pure accident), that
by making a mistake in entering his username (in login) he was logged
in as ROOT! (I think it is not wise to state the exact procedure here).

I immediately contacted our CRC about this and within a few hours
I had a new version of the login program in my e-mailbox and the
problem was fixed. But I noticed that this 'new' version of login
was over ONE YEAR OLD (Feb. 6, 1990). How many HP-UX systems are
running today with the same huge security hole? When I asked the
engineer of the (Dutch) CRC he answered, that it is not a standard
procedure of HP to send their clients all possible patches, because
many of them are not useful for all systems. So you have to ask for
them. Furthermore there is no way of warning clients of possible
security holes...  Of course I (re)read the Software Status Bulletins,
but they did not contain any reference to this problem. I even went
through all my accumulated articles in comp.sys.hp with the same result.

You could have this problem too, if you are running HP-UX 6.5 (on 300's)
or 7.0 (on 300's and 800's) with the original login AND you converted
to 'secure system'. Please contact your CRC, not me: I'm still busy
checking if someone in the last months actually USED this hole in my
systems :-(

I know there has been a lengthy discussion on the topic of customer
support in this newsgroup and don't want to trigger a new one right
now, but I would like to repeat here what I told my CRC-engineer:

"I expect to be warned by Hewlett-Packard for possible security problems
 in my HP-systems just like I expect the manufacturer of my car to warn
 me if the brakes are not safe."


-- 
 Ton Roovers                                                    systems manager
_______________________________________________________________________________
 Faculty of Arts and Letters, Groningen University               ton@let.rug.nl
 PO Box 716, NL 9700 AS Groningen, The Netherlands