Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/5/84; site mordor.UUCP
Path: utzoo!watmath!clyde!bonnie!akgua!gatech!seismo!lll-crg!mordor!jdb
From: jdb@mordor.UUCP (John Bruner)
Newsgroups: net.unix
Subject: Re: Automatic root login
Message-ID: <4513@mordor.UUCP>
Date: Sun, 24-Nov-85 12:27:12 EST
Article-I.D.: mordor.4513
Posted: Sun Nov 24 12:27:12 1985
Date-Received: Mon, 25-Nov-85 08:02:38 EST
References: <306@spock.UUCP>
Reply-To: jdb@mordor.UUCP (John Bruner)
Organization: S-1 Project, LLNL
Lines: 19

There is an important consideration if you have (or are considering
the implementation of) a program which gives a root shell to
specified users without prompting for a password.

This sort of program effectively multiplies the number of passwords
than can be used to obtain "root".  Rather than protecting a single
password, it is now necessary to protect N+1 (where N is the number
of privileged users.  In general, is easier to find one out of N+1
passwords than it is to determine a single password.

Also, since correct setuid programs are difficult to write, you must
now worry not only about setuid-root programs but also setuid-priv
programs (where "priv" is any user in the privileged class).  A
buggy setuid-priv program might be exploited to obtain a setuid-priv
shell which could then be used to obtain root.
-- 
  John Bruner (S-1 Project, Lawrence Livermore National Laboratory)
  MILNET: jdb@mordor [jdb@s1-c.ARPA]	(415) 422-0758
  UUCP: ...!ucbvax!dual!mordor!jdb 	...!seismo!mordor!jdb