Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!spool.mu.edu!agate!agate!adrianho From: adrianho@barkley.berkeley.edu (Adrian J Ho) Newsgroups: comp.admin.policy Subject: Re: Possibly nefarious users Message-ID: Date: 15 Jun 91 08:00:42 GMT References: <1991Jun6.214915.18946@athena.mit.edu> <1991Jun7.164102.672@progress.com> <1991Jun7.184025.25010@eng.umd.edu> <1991Jun7.215349.11643@zaphod.mps.ohio-state.edu> <1991Jun14.132933.4466@news.larc.nasa.gov> Sender: usenet@agate.berkeley.edu (USENET Administrator) Organization: University of California, Berkeley Lines: 33 In-Reply-To: kludge@grissom.larc.nasa.gov's message of 14 Jun 91 13: 29:33 GMT In article <1991Jun14.132933.4466@news.larc.nasa.gov> kludge@grissom.larc.nasa.gov ( Scott Dorsey) writes: > Nothing stupid at all about having publically accessible guest accounts. Read on. >If you have a guest account, you expect guests to use it. That's why it's >called a "guest" account. Much like having an anonymous FTP set up, you >have it there for people to use it. Shouldn't you know who your "guests" are? If so, why not create (temporary) accounts for them outright, instead of mucking around with a single account named "guest" that's just _asking_ to be messed with? The analogy with anonymous FTP breaks down when you consider that in the latter, your capabilities are strictly circumscribed by the FTP protocol, whereas with a "guest" account, the sky's the limit, once the user has circumvented any roadblocks you've thrown in his/her way. >But if you make the point that you don't want people hacking on this account >and that there isn't much on the machine that's worthwhile, you shouldn't >have a problem. Not true. Ever heard of "distributed password-cracking"? Access to your machine itself is a valuable resource to a sufficiently enlightened user, especially since distributed processing is all the rage now, in more ways than one..... > That's not to say that you don't keep a good eye on what's >going on there to make sure that there aren't any problems, but that's what >system administration is all about, folks. Well, there's enough problems to worry about without leaving my back door wide open, so I'll pass on "guest" accounts, thank you.