Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!sdd.hp.com!uakari.primate.wisc.edu!dali.cs.montana.edu!caen!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!ucbvax!PAN.SSEC.HONEYWELL.COM!thompson
From: thompson@PAN.SSEC.HONEYWELL.COM (John Thompson)
Newsgroups: comp.sys.apollo
Subject: re: edrgy Secuity Hole
Message-ID: <9106272343.AA20474@pan.ssec.honeywell.com>
Date: 27 Jun 91 23:43:14 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 62



> I was doing some testing with edrgy and found that even in
> closed systems, it comes with a 755 protection.  Which means
> anyone can run it.  
> 
> Any user can log in, run edrgy, change the root password and
> be on his merry way.  I quickly changed all ours to 700.

No No No No No No No No No.


Any user can log in and run edrgy.  That is not the same as saying that anyone
can change the registry database.  There are four main owners of the registry
(although most sites seem to have the same owner for all of them).  The owner
is a (possibly) wildcarded SID, such as 'root.%.%' or '%.sys_admin.%' or
'thompson.sys_admin.sys_org'.  The four ownerships are
    entire registry
    'person' domain
    'group' domain
    'org' domain
The owner of the registry can change the owner of any domain, can run 
rgy_admin, and can run rgy_merge.

The owner of each domain can create entries in his domain, and can assign 
ownership to that name (for instance, as owner of the 'group' domain, I 
could create a group 'r_and_d' and assign joe_admin.r_and_d.% as the owner
of it.

In addition to the four main owners, then, each person, each group, and
each org has an owner too.  (Again, most sites seem to keep one SID as the
owner of everything.)  These owners can do things too --
    An owner of a org    can : Add/Del members (persons that already exist)
                               Change the properties of the org
                               Delete the org
    An owner of a group  can : Add/Del members (persons that already exist)
                               Change the properties of the group
                               Delete the group
    An owner of a person can : Change the props of the person (full name, etc)
                               Delete the person
                               Add accounts for the person, IF THEY ALSO OWN 
                                    THE GROUP AND ORG OF THE NEW ACCOUNT, OR 
                                    IF THE PERSON HAS BEEN MADE A MEMBER OF 
                                    THE GROUP AND ORG ALREADY (by their 
                                    owners).

So what can joe_user do, if he's not an owner?  Well, he can view the registry, 
but then, joe_unix_user can read /etc/passwd, so there's no added security 
breach.

Incidentally, all this info was found in the "Administering The Domain/OS 
Registry" manual.  Might I suggest you RTFM?



-- jt --
John Thompson
Honeywell, SSEC
Plymouth, MN  55441
thompson@pan.ssec.honeywell.com

Avoid the rush -- Procrastinate Now!