Xref: utzoo comp.unix.wizards:25210 alt.security:2344
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!sun-barr!newstop!exodus!appserv!slovax.Eng.Sun.COM!lm
From: lm@slovax.Eng.Sun.COM (Larry McVoy)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 3: How to Fix It
Message-ID: <564@appserv.Eng.Sun.COM>
Date: 29 Apr 91 03:54:42 GMT
References: <7310@segue.segue.com>
Sender: news@appserv.Eng.Sun.COM
Followup-To: comp.unix.wizards
Organization: Sun Microsystems, Mt. View, CA.
Lines: 26

In the referenced message, brnstnd@kramden.acf.nyu.edu (Dan Bernstein) wrote:
}13. Fix write. Many people don't appreciate how poor write's security
}is; I quote from my pty paper's description of a write clone:
}: ... blah, blah ...
}code from it. Don't even give me any credit, just fix the bugs. Please.

Is all this fuss really worth it?  I hate to appear caveliar and I
don't speak for Sun, just as a user, but does anyone really care?  OK,
anyone except the Feds?  Yeah, the system is insecure.  In many
places.  It seems to me that worrying about anti-social behavior
through tty's is the least of our problems.

I would much rather see all this energy going into making the system
secure enough that ``bad'' people can't login, rather then worrying
about the annoying write messages from people who have been given an
account.  Seems to me that you are in much worse trouble if you let an
outsider into your network/machine.  As long as we manage to prevent
that from happening, I think most admins can deal with people
misbehaving.

I dunno, maybe I'm missing some important point, but it seems rather
paranoid to me to worry about the people who have accounts on your
machine.  You trusted them enough to give them an account, where did
that trust go?
---
Larry McVoy, Sun Microsystems     (415) 336-7627       ...!sun!lm or lm@sun.com