Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!mcsun!hp4nl!svin02!eba!ebh.eb.ele.tue.nl!wjw
From: wjw@ebh.eb.ele.tue.nl (Willem Jan Withagen)
Newsgroups: comp.sys.apollo
Subject: re: edrgy Secuity Hole
Message-ID: <1230@eba.eb.ele.tue.nl>
Date: 28 Jun 91 08:52:36 GMT
References: <9106272343.AA20474@pan.ssec.honeywell.com>
Sender: news@eb.ele.tue.nl (The News system)
Reply-To: wjw@eb.ele.tue.nl
Organization: Digital Systems, Eindhoven University of Technology, the Netherlands
Lines: 39

In article <9106272343.AA20474@pan.ssec.honeywell.com>, thompson@PAN.SSEC.HONEYWELL.COM (John Thompson) writes:
=> 
=> 
=> > I was doing some testing with edrgy and found that even in
=> > closed systems, it comes with a 755 protection.  Which means
=> > anyone can run it.  
=> > 
=> > Any user can log in, run edrgy, change the root password and
=> > be on his merry way.  I quickly changed all ours to 700.
=> 
=> No No No No No No No No No.
[stuff copied from the manual deleted.]
I'll go along with what John says.

However there is the default setting with this:
	which is %.%.%, and as a consequence everybody can change anybodies
	items. :)
Change it with the defaults commando. You also might want to look at
the properties with 'properties'.

So for a more secure system you have to manually the change the default owners
of account, ... to something more restrictive: root.wheel.none ?

Furthermore are the default available accounts created with this rubish setting
which means that they have to be manually changed with the 
'change xx -o owner' command (xx = person,group,org)

Just have a check with:
do person
v root -f

And if it goes %.%.% then correct it.

Willem Jan
-- 
Eindhoven University of Technology   DomainName:  wjw@eb.ele.tue.nl    
Digital Systems Group, Room EH 10.10 
P.O. 513                             Tel: +31-40-473401
5600 MB Eindhoven                    The Netherlands