Xref: utzoo comp.unix.wizards:25305 alt.security:2388 Path: utzoo!utgpu!news-server.csri.toronto.edu!utcs.toronto.edu!cks Newsgroups: comp.unix.wizards,alt.security From: cks@hawkwind.utcs.toronto.edu (Chris Siebenmann) Subject: Re: BSD tty security, part 3: How to Fix It Message-ID: <1991May1.173902.15085@jarvis.csri.toronto.edu> Organization: UTCS Unix Systems Group References: <7310@segue.segue.com> <564@appserv.Eng.Sun.COM> Date: 1 May 91 21:39:02 GMT Lines: 30 lm@slovax.Eng.Sun.COM (Larry McVoy) writes: | Is all this fuss really worth it? I hate to appear caveliar and I | don't speak for Sun, just as a user, but does anyone really care? OK, | anyone except the Feds? Yeah, the system is insecure. In many | places. It seems to me that worrying about anti-social behavior | through tty's is the least of our problems. This is only true if you trust (or mostly trust) your user population. This is probably true at most commercial and research sites, less true at educational machines used by professors and graduate students, and not necessarily true at all for undergraduate machines. I'd like to trust the undergraduates, and to a certain extent I do, but not to this extent. Worse yet, it is VERY hard to have any sort of control over who gets accounts and access; students come and go, accounts are left inactive when people drop the course, people share their passwords with others, and people use easy to guess passwords. With some work, just about anyone could walk off the street here and log onto one of our undergraduate systems, and I have every reason to believe that some people do. All I can do is to make sure that once someone has managed to log on, the amount of damage they can do is minimized and easy to fix. -- "This is what separates us system programmers from the application programmers: we can ruin an entire machine and then recover it, they can only ruin their own files and then get someone else to restore them" - Geoff Collyer cks@hawkwind.utcs.toronto.edu ...!{utgpu,utzoo,watmath}!utgpu!cks