Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site ucsfcgl.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!ucbvax!ucsfcgl!arnold
From: arnold@ucsfcgl.UUCP (Ken Arnold%CGL)
Newsgroups: net.unix
Subject: Re: Alternate Shells
Message-ID: <626@ucsfcgl.UUCP>
Date: Wed, 28-Aug-85 16:06:34 EDT
Article-I.D.: ucsfcgl.626
Posted: Wed Aug 28 16:06:34 1985
Date-Received: Fri, 30-Aug-85 11:06:36 EDT
References: <49600007@convexs> <10672@Glacier.ARPA> <275@uwvax.UUCP>
Reply-To: arnold@ucsfcgl.UUCP (Ken Arnold)
Organization: UCSF Computer Graphics Lab
Lines: 33

In article <275@uwvax.UUCP> david@wisc-rsch.arpa (David Parter) writes:
>> Next joke, please.   Suffice it  to say  that "lock"  isn't nearly as
>> secure as  it might  lead you  to believe.   This  probably isn't the
>> place  to  go  into  the  details  of why,  but I  wouldn't trust the
>> standard "lock" to protect anything I valued.  
>>           Doug Hosking
>possible solutions:
>    1)  don't leave your terminal (logged in) alone.
>    2)  fix lock, if you need a secure locking mechanism for yourself 
>        or your users. We have made some fixes to it.

All missing the point.  You try and convince a bunch of beginning
programmers that they should never walk away from their terminal
without locking it.  You'll get to about 80% of them initially, and
then after about a week, people will start to get careless, and you
start getting a very low compliance rate.  Also, as security sometimes
one will just ask a friend to watch the terminal while they go to the
bathroom, and that friend is the one who plays the practical joke.

In the real world, you just cannot convince *everyone* (or even a
significant fraction) to be paranoid; most people just don't think that
way.  Hell, even *I* don't think that way all the time, thank
goodness.  The software should assume a somewhat hostile environment.

If you don't believe me, let me point out that changing the login shell
to /bin/cat and changing someone's password both lock them out of their
account.  Do I hear anyone arguing that passwd should stop asking for
the current password before changing it to something else?  No.  So why
shouldn't chsh give some security?  There are better ways than the
two-shell restriction currently in use, but some such restriction is
needed.

		Ken Arnold