Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!sundc!hadron!jsdy From: jsdy@hadron.UUCP (Joseph S. D. Yao) Newsgroups: comp.unix.wizards Subject: Re: slaying Gould dragon with a wooden horse Message-ID: <628@hadron.UUCP> Date: Mon, 24-Nov-86 02:10:42 EST Article-I.D.: hadron.628 Posted: Mon Nov 24 02:10:42 1986 Date-Received: Mon, 24-Nov-86 21:55:44 EST References: <157@houligan.UUCP> <836@zeus.UUCP> Reply-To: jsdy@hadron.UUCP (Joseph S. D. Yao) Organization: Hadron, Inc., Fairfax, VA Lines: 30 Summary: Back to the point ... In article <836@zeus.UUCP> bobr@zeus.UUCP (Robert Reed) writes: >In <157@houligan.UUCP> Dave Cornutt writes: > Any system, no matter how secure it is designed to be, is only as secure > as the people who run it make it. If the searchpath problem was fixed, > Darryl still have gotten in by creating a Trojan-horse program in his > directory and convincing the superuser to run it. ... >... coincidence of two conditions: > 1. That the search path tried the current working directory first. > 2. That the system administrator would think nothing of using standard > utilities while running as root in that directory. >It is one thing to build a trojan horse behind, say, ls; ... [another] >administrator to run a user program WHILE IN A PRIVILEDGED ACCOUNT... >know I would have real qualms about executing someone's xyz program while >running as root. But I might not even think about running ls, cat, more, or >emacs. I think that the point is, yes, those two are the specific hinge for the technique used here; but it's not the only way the system could have been broken. As said above and elsewhere, PEOPLE are what make or break a security system. All the hardware and soft- ware in the world can't make a system secure. E.g., I won't tell you where, but there's a perfectly good locked door I know of ... with the key hanging on the lintel, so that people can get in and out easily. And: anybody remember how the kid in Wargames got the school secretary's password? PEOPLE, folks, are THE most important part of ANY computer system! -- Joe Yao hadron!jsdy@seismo.{CSS.GOV,ARPA,UUCP} jsdy@hadron.COM (not yet domainised)