Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!cbatt!cbosgd!ucbvax!ZOTZ.CS.UTEXAS.EDU!jsq
From: jsq@ZOTZ.CS.UTEXAS.EDU
Newsgroups: mod.protocols.tcp-ip
Subject: passwords and protection files
Message-ID: <8609291603.AA12086@im4u.UTEXAS.EDU>
Date: Mon, 29-Sep-86 12:03:37 EDT
Article-I.D.: im4u.8609291603.AA12086
Posted: Mon Sep 29 12:03:37 1986
Date-Received: Tue, 30-Sep-86 15:04:30 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 15
Approved: tcp-ip@sri-nic.arpa

Let's remember that if system people are forced to type super-user
passwords across a network in clear text that that's just as bad a
security problem as the permission file setup being complained about.
(Though I suppose the cracker is more likely to need physical access
to the local network.)

Also, the way the crackers got into system people's accounts in this
instance was through tricking badly written privileged programs to
execute out of directories with *public* write permission, without
which the question of whether system people should be able to write
into program directories without typing passwords would have been moot.

I.e., the really bad security problem in a network of 4BSD machines
is privileged programs that don't constrain their search paths and
arguments.