Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!columbia!rutgers!ll-xn!adelie!cdx39!jc From: jc@cdx39.UUCP (John Chambers) Newsgroups: comp.unix.wizards,comp.unix.questions Subject: Re: Slaying Gould dragon with a wooden Message-ID: <515@cdx39.UUCP> Date: Fri, 5-Dec-86 12:24:01 EST Article-I.D.: cdx39.515 Posted: Fri Dec 5 12:24:01 1986 Date-Received: Sun, 7-Dec-86 03:11:59 EST References: <2949@rsch.WISC.EDU> Lines: 46 Xref: mnetor comp.unix.wizards:269 comp.unix.questions:270 Not to change the subject or anything, but I've been hearing rumors for some time of a security mailing list that is supposed to exist somewhere. I've been interested in system security for some time, both out of personal interest and because I am an administrator for a bunch of machines and consultant to others with machines where there are security interests. Now, I've done my share of breaking and entering, mostly on my own machines to learn how others might do it to me, and also on others to illustrate to their owners how you might do it to them. But I don't consider myself a real security expert. When I try to learn more, I usually find that everything printed is the easy stuff that I already know about. The more sophisticated stuff I can't learn about, because, well, it is too sensitive to let just anyone know about it... As a result, we have a situation where system administrators don't learn how people can break into their systems, while there is a small population around that knows much more than you or I do about the subject. Is there any way that someone not already working for the NSA or CIA or DOD or whoever can really learn the good stuff about system security? The Gould discussion illustrates a good point. It is obvious, given a little thought, that a super-user shouldn't have '.' early in the search path. I sort of suspect that it shouldn't be there at all, but I haven't yet figured out the proof. Until I read these articles, it simply hadn't occurred to me that this was a security problem. (Well, it was obvious that '.' shouldn't be first in $PATH; I can claim at least that much intelligence. :-) I'll add this to my list of things to tell security-conscious administrators about. Where can I get a comprehensive list of all the other security holes known to Unix wizards? -- John M Chambers Phone: 617/364-2000x7304 Email: ...{adelie,bu-cs,harvax,inmet,mcsbos,mit-eddie,mot[bos]}!cdx39!{jc,news,root,usenet,uucp} Smail: Codex Corporation; Mailstop C1-30; 20 Cabot Blvd; Mansfield MA 02048-1193 Clever-Saying: For job offers, call (617)484-6393 evenings and weekends.