Path: utzoo!utgpu!cs.utexas.edu!sdd.hp.com!think.com!mintaka!spdcc!tauxersvilli!alphalpha!nazgul From: nazgul@alphalpha.com (Kee Hinckley) Newsgroups: alt.sources.d Subject: Re: another 'su encancer' Message-ID: <1991Apr27.025325.9321@alphalpha.com> Date: 27 Apr 91 02:53:25 GMT References: <1991Apr26.142736.21272@convex.com> Organization: asi Lines: 27 In article <1991Apr26.142736.21272@convex.com> tchrist@convex.COM (Tom Christiansen) writes: >I think you guys are missing the point. Any command that grants >unrestricted privilege to even one user without confronting them >with a password is a security hole. All I have to do is be that >user, through Trojan horses, people absent from their offices, >TIOCSTI usurpation, etc. What kind of places do you guys work anyway? Does paranoia really reign supreme? The last place I worked had around 2000 workstations all on the same remote file system (none of this NFS mount nonsense) and I'd say that 1 out of every 10 people (at the least) had a command lying around so they could become root as necessary. Boom, instant access to over a terabyte of data. Sure it was possible to disable remote root access - but hardly anyone did. Besides which, most everything was at least _readable_ by everybody. Unauthorized root privileges aren't a security problem, they're a social problem. -- Alfalfa Software, Inc. | Poste: The EMail for Unix nazgul@alfalfa.com | Send Anything... Anywhere 617/646-7703 (voice/fax) | info@alfalfa.com I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.