Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!world!eff!ckd From: ckd@eff.org (Christopher Davis) Newsgroups: comp.admin.policy Subject: Re: SUSPEND SYSOPS, NOT STUDENTS Message-ID: Date: 18 Jun 91 23:53:05 GMT References: <20740@slice.ooc.uva.nl> <1991Jun18.182241.21895@bellcore.bellcore.com> Sender: ckd@eff.org (Christopher Davis) Organization: The Electronic Frontier Foundation Lines: 78 In-Reply-To: jona@iscp.Bellcore.COM's message of Tue, 18 Jun 91 18:22:41 GMT Jon> == Jon Alperin Jon> If I run a system, then it is my responsibility to maintain security. The users have no responsibility? They don't need to keep their passwords secret? They don't need to keep their .login from being world-writable? Jon> I still believe that "logging in to a users account and sending Jon> them mail from their own account" is not the proper way to inform Jon> someone of a security hole. Agreed. Unless it's a 'they left their terminal logged in for six hours in the public cluster' case, where 'send themselves mail reminding them to log out, then log them out' is probably a good response. (That isn't *logging in* as them, though.) Jon> This is akin to removing all files on a system to show someone Jon> that all files can be removed. Furtermore, if you are not the Jon> sysadmin on that system, it is not your responsibility to insure Jon> that another user has a good password. Agreed. Password crunching without prior arrangement (for things like research on 'how many dictionary passwords there are on an undergrad machine') should get smashed down hard. Of course, if you can run shadowing, you should. [Even the sysadmin shouldn't ever have to run a cruncher on any passwords; replace the 'passwd' program with the one from _Programming Perl_, and let it check them while they're still in plaintext.] Jon> All you are responsible for is maintaining your own password as Jon> being safe. How do you think the sysadmin is going to react when a Jon> user tells him/her that "someone broke into my account"? Probably pretty badly. How do you think the sysadmin is going to react when someone says "Hey, Jim just broke root and nuked your account because he doesn't like you. Maybe you shouldn't have left /var/spool world-writable."? Again, we're not quite communicating here. Someone else had the analogy of an apartment building (or dorm) with common areas for "residents only" and individual apartments as well. (I used to live in one of these; we each had a front door key *and* a room key.) Should a resident report a broken front door lock to someone? Yes. Should a resident report it when there's a set of keys sitting in the lounge, clearly marked "Master Keys"? Yes. Should the resident TRY or USE those keys? HELL NO. If the building had computer door locks, and the master computer lock box was unlocked, should they report that? Yes. Should they play with it to see if they could unlock their friend's room? HELL NO. System administrators should run COPS. They should encourage the users to run COPS (without permission; do you folks REALLY think the cracker is going to ask permission? The first you'll know about it is when the crontab for 'rm -rf /' goes off...). If the sysadmins are running it, especially often, it won't matter if the users do. The users should then GIVE THE RESULTS TO THE SYSADMINS. Very simple. This doesn't require exploiting any holes, or doing anything like that. Simple REPORTING will suffice. I think most sysadmins will realize that mail saying "Hey, here's a COPS run, you might want to fix that /var/spool problem" is something they should deal with... There is a middle ground between "Let the sysadmin take care of it" and "They're not doing anything, so I should become root and fix it." It's the "I'll watch for stuff, and I'll let them fix it" point. --Chris -- Christopher Davis | ELECTRONIC MAIL WORDS OF WISDOM #5: System Manager & Postmaster | "Internet mail headers are Electronic Frontier Foundation | not unlike giblets." +1 617 864 0665 | -- Paul Vixie