Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!samsung!uunet!mcsun!ukc!axion!gapos!davep From: davep@gapos.bt.co.uk (Dave Parkinson) Newsgroups: comp.os.minix Subject: Re: MINIX Security Message-ID: Date: 25 Mar 91 08:37:02 GMT References: <48053@nigel.ee.udel.edu> <2385@tuvie.UUCP> Sender: usenet@gapos.bt.co.uk (Usenet login) Organization: British Telecom Applied Systems. Lines: 28 Security has many aspects to it. As has been mentioned here virtually all systems from Crays to pocket calculators are vulnerable where the attacker has direct physical access to the hardware. (Simply switching the power off or wielding a sledgehammer can cause denial of service!). Systems can be re-booted with alternate operating systems, or in a different mode. 'Maintenance' utilities, tools etc can be run. I would assume that the base hardware is adequately safeguarded, and the route for attack is via a user terminal or dial in modem line. Thus the questions that need answering are: 1) Can an un-authorised person log onto the system? 2) Can a user - once logged on to the system - perform actions beyond those he authorised to do? In an open *ix type system the latter depends in the first instance in how well the system is set up (what permissions are set on what files etc). - eg It should not be possible for the average user to change the password file with a text editor, or even to run 'de'. The next question is are there any underlying flaws in the operating system design that let an attacker circumvent the controls that are in place? The fact that the Minix password algorithm is apparently reversable is such a flaw (and easily correctable). Comments like 'read the hard disk on another machine', whilst accurate don't really answer the question.