Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!caen!news.cs.indiana.edu!msi.umn.edu!cs.umn.edu!quest!digibd!rhealey
From: rhealey@digibd.com (Rob Healey)
Newsgroups: comp.unix.sysv386
Subject: Re: C2 and Networking <was: SECURITY BUG IN INTERACTIVE UNIX SYSV386>
Keywords: BAD BUG
Message-ID: <1991Feb21.222349.4177@digibd.com>
Date: 21 Feb 91 22:23:49 GMT
References: <1854@chinacat.Unicom.COM> <491@stephsf.stephsf.com> <249@raysnec.UUCP>
Organization: DigiBoard Incorporated, St. Louis Park, MN
Lines: 20

In article <249@raysnec.UUCP> shwake@raysnec.UUCP (Ray Shwake) writes:
>wengland@stephsf.stephsf.com (Bill England) writes:
>>   As for the Uucp I believe that having strict C2 requires NOT using
>>   UUCP and disallowing ftp.  I'm not sure if TCP/IP would be 
>>   considered a C2 security violation and even running an xterm may
>>   be a problem.
>
>I don't think this is true, at least in the case of UUCP. What, after all,
>is the difference between a uucp login and a user login? Both operate under
>the various discretionary access controls, audits, etc. associated with
>C2. FTP may be another story however.
>
	If I remember my original purusing of the manuals, ANY form of
	networking on the machine invalidates C2 specifications...

	Either UUCP or TCP would disqualify the system as C2. Did SCO
	ACTUALLY have this system checked and validated for C2 by the
	feds? Or are they pulling a SUN and only saying it COULD be C2?

		-Rob