Xref: utzoo comp.unix.internals:2545 comp.unix.admin:1592 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!ux1.cso.uiuc.edu!edotto From: edotto@ux1.cso.uiuc.edu (Ed Otto) Newsgroups: comp.unix.internals,comp.unix.admin Subject: Re: Unix security additions Message-ID: <1991Apr15.163013.20421@ux1.cso.uiuc.edu> Date: 15 Apr 91 16:30:13 GMT References: <39950@cup.portal.com> <1991Mar14.230944.9184@eci386.uucp> <1991Mar22.024124.3238@ec <1092@mwtech.UUCP> <19208@rpp386.cactus.org> Organization: University of Illinois at Urbana Lines: 52 jfh@rpp386.cactus.org (John F Haugh II) writes: >>Under this circumstances, would it be wise to trust the same people that >>they don't take the backup tapes and read them anywhere else? >If you don't have physical security (i.e., they can take the tapes >anywheres they want) and you can't trust your personnel, I'd suggest >you turn off the computer system and just give up. Nice thought...in my case it's a combination lock on the door to the machine room that, two hours after it was installed, 46 people had the combination to... >Basically your complaint is that you must give privileges to people >that you can't trust not to abuse them, and that you can't control >the data once they've take it. Sounds like you got a rather serious >problem on your hands. Good luck. Ya - from me, too. I simply said "I'll do all of the work." >These are not the same problems. They aren't even related to each >other. Particularly since the former is meant to prevent things >that the later can't address, such as people you didn't hire accessing >your system. The only completely secure computer is sitting in a room, >with no outside connections, powered off, and encased in concrete. If >you insist on hiring people you think are going to violate the systems >security, there is no point in keeping out the rest of the world. You've >already given the keys to the bad guys. Yup...once the nasties are out and about your workplace, you've lost the whole war...I mean, anyone with su access can run the 'adduser' script...and once THAT happens, well, kiss it goodbye. ******************************************************************************* * * Netmail addresses: * * Edward C. Otto III * edotto@uipsuxb.ps.uiuc.edu * * University of Illinois * edotto@uiucux1.cso.uiuc.edu * * Printing Services Office * UIPSA::OTTO (Decnet node 46.99) * * 54A E. Gregory Dr. * otto@uipsa.dnet.nasa.gov * * Champaign, IL 61820 * Office phone: 217/333-9422 * * * * ******************************************************************************* "As knowledge is to ignorance, so is light unto the darkness." --- GO 'PODS! --- -- ******************************************************************************* * * Netmail addresses: * * Edward C. Otto III * edotto@uipsuxb.ps.uiuc.edu * * University of Illinois * edotto@uiucux1.cso.uiuc.edu *