Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!elroy.jpl.nasa.gov!decwrl!pa.dec.com!shlump.nac.dec.com!engage!ootool.dec.com!tenny
From: tenny@ootool.dec.com (Dave Tenny)
Newsgroups: comp.sys.next
Subject: Security of NeXT systems
Message-ID: <1991Feb28.143720.7839@engage.enet.dec.com>
Date: 28 Feb 91 14:36:40 GMT
Sender: news@engage.enet.dec.com (USENET News System)
Organization: Digital Equipment Corporation
Lines: 30



I have a real need to allow people I don't really know to dial
into my NeXT (running 2.0), as part of a cooperative development effort.
While I fully intend to learn as much about them as possible, have them
sign some forms, etc., security is still a big issue.

Unfortunately, I know very little about Unix (especially NeXT specific)
security holes, though in fact I've done quite a bit of security work
on non-unix systems.  So my general rule of thumb is to leave the NeXT
directories and all system files with the protections they have
when they ship, except for things modified in /etc for ttys,
and UUCP related files.

For the directories I want protected from prying eyes, umasks and 
protections are all appropriate.

All accounts are password protected, and the people dialing up will
have a special group id which won't be common to any other group.

So my question for NeXT experts is this:  will my NeXT be reasonably
secure for dialin access?  Will the above precautions prevent people
from gaining root access (non-secure dialin line, so SU shouldn't work),
and will the precautions prevent them from looking in directories
they shouldn't?

Help is truly appreciated.  My only alternative is to not let these
people dial the NeXT, and it would cause many complications in development.

Dave