Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site gwsd.UUCP Path: utzoo!linus!philabs!cmcl2!seismo!harvard!talcott!panda!genrad!decvax!ittatc!dcdwest!sdcsvax!gwsd!revc From: revc@gwsd.UUCP (Bob Van Cleef) Newsgroups: net.micro.att Subject: Re: Remote shutdown of PC 7300 Message-ID: <142@gwsd.UUCP> Date: Fri, 2-Aug-85 11:09:07 EDT Article-I.D.: gwsd.142 Posted: Fri Aug 2 11:09:07 1985 Date-Received: Sun, 4-Aug-85 07:00:37 EDT References: <494@qantel.UUCP> Organization: Gateway Computer Systems, San Diego Lines: 33 Summary: Changing the .profile doesn't disable the UA In article <494@qantel.UUCP>, israel@qantel.UUCP ( Renegade@ex2564) writes: > > The user agent seems to give access to certain administrator functions > to normal users, such as mount, shutdown, lpstart, etc. The easiest > way to avoid these problems is to deactivate the user agent (ie, windowing > environment) to begin with, by deleting the 'exec ua' line from the > users' .profile file in their home directories. This will result in their > being put directly into the Bourne shell interface upon logging in. > In this environment, they would have to know the su password before > executing a shutdown. > All they then have to do is execute the User Agent manually from the command line. To prevent this, you would also have to change the permissions on /usr/bin/ua from 755. The cleanest answer may be eliminating the setuid flags on many of the sub menus of the ua. The real key would be to separate the access to Unix from the rest of the features available to 'Expert' users. (Create a new class of user, the 'Admin' user.) Then restrict the non-Admin user from giving the Admin privilage to themselves. Security on a 7300 is a serious problem when you consider that the machine is designed to go into potentially hostile environments. (ie. Anything outside the 'friendly' world of research and development.) Bob giving themselves permission to become an administrative user. -- Bob Van Cleef ...sdcsvax!gwsd!revc Gateway Computer Systems (619) 457-2701 4980 Carroll Canyon Road San Diego, CA 92121