Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!mit-eddie!genrad!decvax!mcnc!rti-sel!trt
From: trt@rti-sel.UUCP
Newsgroups: comp.sources.d
Subject: Re: Another kind of su program (source)
Message-ID: <1177@rti-sel.UUCP>
Date: Wed, 4-Feb-87 11:18:31 EST
Article-I.D.: rti-sel.1177
Posted: Wed Feb  4 11:18:31 1987
Date-Received: Sat, 7-Feb-87 11:31:09 EST
References: <195@olamb.UUCP> <263@aramis.RUTGERS.EDU> <608@vu-vlsi.UUCP>
Organization: Research Triangle Institute, NC
Lines: 49

> Both of these programs (performing password-free su) seem dangerous
> to me- if one of the authorized users were to accidently leave themself
> logged on, anyone could come along and su from their terminal.

Short reply:
Yes a password-free su (PWFSU) is dangerous.
So is typing the root password all the time.
I feel that the security trade-off is a wash,
and PWFSUs win because they are more convenient.

Long reply:
This weakness occurs on all normal UN*X systems anyway.
Anyone can come along and install a trojan horse 'su',
in the authorized user's bin, which steals the root password.
There are lots of other ways to exploit a logged-in terminal.
There is always "find / -exec rm -f {} ';'", just to be malicious.

>  Also,
> it makes the knowledge of an authorized sus/slide users password
> equivalent to knowing the root password.

Again, this is true on normal UN*X systems with or without PWFSUs.
If you know the authorized user's password, to a large degree
you *are* that authorized user.  You can masquerade as him
to the OS and (more importantly) to other users.
And you can set up a fantasy world for the "real" authorized user
in which every communication between that user and the OS
is examined and altered as desired.
(Yes a 'trusted path' would avoid much, but not all, of this insecurity.)

Years ago Brian Kernighan explained the power of UNIX pipes and filters,
saying that other operating systems could obtain the same effect
but that "It isn't enough for it to be possible, it must be easy".
In UNIX lots of things were easy.  It had chdir (cd),
which made it easy to snoop in other users' files.
Did that make UNIX insecure?  Lots of people thought UNIX was insecure,
and I am sure chdir was a subconscious part of that thought.
On Duke's IBM OS/MVT system all kinds of amazingly important files
were readable *and writable* but were 'safe' because without chdir and ls
the files were too much trouble to hunt down and exploit.

PWFSUs make an existing security problem (unattended terminals)
easier to exploit.  Should we ban PWFSUs, or go after the real problem?
Maybe terminals should 'lock up' after being idle for a while.
Maybe terminals should have a user-proximity detector,
and require re-authentication after the user is no longer proximate.
Or just do what we do -- threaten our users with bodily harm
if they exploit security weaknesses.  Works great.
	Tom ("just kidding") Truscott