Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site ukma.UUCP
Path: utzoo!watmath!clyde!cbosgd!hasmed!qusavx!ukma!sean
From: sean@ukma.UUCP (Sean Casey)
Newsgroups: net.unix-wizards
Subject: Re: Re: Re: Findsuid source (Re: Security an
Message-ID: <624@ukma.UUCP>
Date: Tue, 5-Feb-85 00:59:22 EST
Article-I.D.: ukma.624
Posted: Tue Feb  5 00:59:22 1985
Date-Received: Wed, 6-Feb-85 05:46:33 EST
References: <327@lsuc.UUCP> <6200045@uokvax.UUCP>, <332@enmasse.UUCP>
Organization: Univ. of KY Mathematical Sciences
Lines: 28


> Another problem with having a find-suid-programs program that runs based
> on crontab entries is that anyone can see when the find-suid-programs
> program is going to run next, and make their moves on that basis.
> 
> 		kurt


I do not think that findsuid is designed to be a serious security
program.   It  is  a nice little watchdog that will trap a novice
that happens to find a bug (there's lots) and creates his own  su
(or similar), but it's extremely simple, and easy to bypass.

A friend of mine wrote an interesting security program for  Tops-
10.  It  locked  itself in core and set up breakpoints at some of
the monitor calls. It then checked the parameters on these  calls
and  made  sure they were "ok". It entwined itself to the monitor
so tightly that it was almost impossible to defuse without taking
down the whole monitor with it. It checked for a number of things
and  logged  (in  an  undeletable  file!)  conditions  which   it
considered  unusual.   If  I  were  to go about writing a serious
security program for Unix, I'd probably go about it much the same
way.   I  would  make  the process as unkillable as possible, and
have it periodically check things.

'nuff ramblin'

Sean Casey