Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!helios!bcm!dimacs.rutgers.edu!seismo!uunet!maverick.ksu.ksu.edu!ux1.cso.uiuc.edu!mp.cs.niu.edu!bennett
From: bennett@mp.cs.niu.edu (Scott Bennett)
Newsgroups: comp.sys.next
Subject: Re: Security of NeXT systems
Message-ID: <1991Mar1.012721.21589@mp.cs.niu.edu>
Date: 1 Mar 91 01:27:21 GMT
References: <1991Feb28.143720.7839@engage.enet.dec.com>
Organization: Northern Illinois University
Lines: 56

In article <1991Feb28.143720.7839@engage.enet.dec.com> tenny@ootool.dec.com (Dave Tenny) writes:
>
>
>I have a real need to allow people I don't really know to dial
>into my NeXT (running 2.0), as part of a cooperative development effort.
>While I fully intend to learn as much about them as possible, have them
>sign some forms, etc., security is still a big issue.
>
>Unfortunately, I know very little about Unix (especially NeXT specific)
>security holes, though in fact I've done quite a bit of security work
>on non-unix systems.  So my general rule of thumb is to leave the NeXT
>directories and all system files with the protections they have
>when they ship, except for things modified in /etc for ttys,
>and UUCP related files.

     Well, for starters, pick up a copy of _UNIX_System_Security_ by
Wood and Kochan.  Also, watch comp.security.announce, comp.unix.questions,
and comp.unix.wizards.  (N.B.  Send most questions to comp.unix.questions;
the wizards tend not to be very amused by intrusions from beginners.  The
comp.unix.wizards group is intended to be used for highly technical and/or
esoteric questions/discussions.  *Reading* comp.unix.wizards, however, is
a recommended educational route.)
     Also, pick up the cops package and run it frequently.
>
>For the directories I want protected from prying eyes, umasks and 
>protections are all appropriate.
>
>All accounts are password protected, and the people dialing up will
>have a special group id which won't be common to any other group.
>
>So my question for NeXT experts is this:  will my NeXT be reasonably
>secure for dialin access?  Will the above precautions prevent people
>from gaining root access (non-secure dialin line, so SU shouldn't work),

     Try it.  The "secure" option in /etc/ttys didn't work in 4.3BSD.
I don't know whether it's fixed in the NeXT software.

>and will the precautions prevent them from looking in directories
>they shouldn't?
>
>Help is truly appreciated.  My only alternative is to not let these
>people dial the NeXT, and it would cause many complications in development.
>
>Dave


                                  Scott Bennett, Comm. ASMELG, CFIAG
                                  Systems Programming
                                  Northern Illinois University
                                  DeKalb, Illinois 60115
**********************************************************************
* Internet:       bennett@cs.niu.edu                                 *
* BITNET:         A01SJB1@NIU                                        *
*--------------------------------------------------------------------*
*  "WAR is the HEALTH of the STATE"  --Albert Jay Nock (I think:-)   *
**********************************************************************