Xref: utzoo comp.unix.internals:2322 comp.unix.admin:1190
Path: utzoo!news-server.csri.toronto.edu!rutgers!news.cs.indiana.edu!samsung!sdd.hp.com!spool.mu.edu!munnari.oz.au!mel.dit.csiro.au!yarra!bacchus!craig
From: craig@bacchus.esa.oz.au (Craig Macbride)
Newsgroups: comp.unix.internals,comp.unix.admin
Subject: Re: Unix security additions
Message-ID: <1921@bacchus.esa.oz.au>
Date: 12 Mar 91 23:51:44 GMT
References: <39950@cup.portal.com> <565@rufus.UUCP>
Organization: Expert Solutions Australia, Hawthorn, Victoria
Lines: 40

In <565@rufus.UUCP> drake@drake.almaden.ibm.com writes:

>I don't know about "unix" in general ... looking at AIX V3 in particular,
>I suspect they are:

>o  Access Control Lists (ACLs) on individual files.
>o  Getting the passwords where they can't be publically read

These are both designed to be non-standard and break other people's software.
I'd call them good if they didn't do that.

>o  Telling me when I log on when the last time I logged on was,
>   and how many times someone has tried to log onto my account
>   with an invalid password since I last logged on.

The only really good one of the lot. It can (and should) be implemented and
doesn't provide problems.

>o  Eliminating setuid shell scripts

A good idea in theory, but the security of the system is still largely a
matter of how it's administered. Why shouldn't people who want to use setuid
shell scripts be allowed to? Because IBM or AT&T says so? I don't really
think that's a good enough reason. Vendors shouldn't provide setuid shell
scripts in their distribution, but there is no reason why people should not
be able to use them. This is like censorship in concept: If people think
using setuid scripts is a bad idea (which it usually is), they don't have to
use them. If every construct in C which has the possibility of being abused
had been removed from the language, there wouldn't be a whole lot left.

>o  Providing alternatives to NFS with better security characteristics

Another excuse to make yet another non-standard piece of software. But then,
who really believes that AIX is Unix? :-)

-- 
 _____________________________________________________________________________
| Craig Macbride, craig@bacchus.esa.oz.au      | Hardware:                    |
|                                              |      The parts of a computer |
|   Expert Solutions Australia                 |        which you can kick!   |