Xref: utzoo comp.unix.internals:2336 comp.unix.admin:1211 Path: utzoo!news-server.csri.toronto.edu!rutgers!att!emory!swrinde!cs.utexas.edu!chinacat!sequoia!rpp386!jfh From: jfh@rpp386.cactus.org (John F Haugh II) Newsgroups: comp.unix.internals,comp.unix.admin Subject: Re: Unix security additions Message-ID: <19105@rpp386.cactus.org> Date: 14 Mar 91 13:24:12 GMT References: <39950@cup.portal.com> <565@rufus.UUCP> <1921@bacchus.esa.oz.au> Reply-To: jfh@rpp386.cactus.org (John F Haugh II) Organization: Lone Star Cafe and BBS Service Lines: 37 X-Clever-Slogan: Recycle or Die. In article <1921@bacchus.esa.oz.au> craig@bacchus.esa.oz.au (Craig Macbride) writes: >In <565@rufus.UUCP> drake@drake.almaden.ibm.com writes: >>o Access Control Lists (ACLs) on individual files. >>o Getting the passwords where they can't be publically read > >These are both designed to be non-standard and break other people's software. >I'd call them good if they didn't do that. There is NO standard for ACLs - POSIX 1003.6 is still not soup yet, and when I argued to pick Draft 9 and stick with that until POSIX Dot6 =was= soup, someone pointed out that there was soon going to be YetAnotherDot6Draft. As for shadowed passwords, it is worth pointing out that there is NO standard for that yet either. AT&T changed the format of the shadow data from SVR3.2 to SVR4. BSD is just catching on to the idea, etc. I have argued with the current security department guys to have SVR4-compatible library routines for getting the shadowed data, but I don't know what they are doing with that suggestion. Coding up a set of getspent(3) routines wouldn't take much effort. I'd do it if I had a S/6000 I could access from home (hint, hint). >>o Eliminating setuid shell scripts > >A good idea in theory, but the security of the system is still largely a >matter of how it's administered. They should be removed, but only because they are a giant security hole. IBM has not, despite Drake's claim, removed setuid shell scripts from the system. For that matter, most of the other vendors haven't either ... -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "I've never written a device driver, but I have written a device driver manual" -- Robert Hartman, IDE Corp.