Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!bellcore!porthos!pyuxf!mal1
From: mal1@pyuxf.UUCP (maureen lecuona)
Newsgroups: comp.unix.admin
Subject: Re: Mysterious security hole
Message-ID: <77@pyuxf.UUCP>
Date: 18 Jun 91 18:17:09 GMT
References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <70@pyuxf.UUCP> <319@dlss2.UUCP>
Reply-To: mal1@pyuxf.UUCP (25337-maureen lecuona)
Organization: Bellcore, Livingston, NJ
Lines: 23

James:

I agree that the "security hole" is the result of poor administrative 
practice, but I disagree that it is a "vendor" problem.  Inasmuch as
one is not buying a "turn key" application when one buys unix, and 
since unix presupposes some administration is being done by the 
purchasing individual or company, I fail to see any justification for
blaming vendors exclusively.
Vendors would be to blame only if the base installed
system came this with system directories (/usr/bin, say)
with rw permissions for all.  

But, as you must know, administrators OFTEN create the conditions which
allow security penetration.  After all, they tend to su to root all the
time, and maybe they haven't taken the time to set umask before creating
directories, or installing new products, or making new device nodes, etc... 

In any case, the "security hole" is the result of poor administration,
whether it's a vendor, or a novice administrator, and this does not
make this any less of a problem in my view.... 


M. Lecuona