Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!brl-adm!seismo!mimsy!chris
From: chris@mimsy.UUCP
Newsgroups: comp.sources.d
Subject: Re: Another kind of su program
Message-ID: <5398@mimsy.UUCP>
Date: Thu, 12-Feb-87 04:09:17 EST
Article-I.D.: mimsy.5398
Posted: Thu Feb 12 04:09:17 1987
Date-Received: Fri, 13-Feb-87 02:04:41 EST
References: <4055@caip.RUTGERS.EDU> <912@aicchi.UUCP> <288@acornrc.UUCP> <9150@topaz.RUTGERS.EDU>
Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742
Lines: 22
Keywords: su, system security

>>..  System administrators would have to sweep the entire disk for
>>setuid root programs every time a user was de-authorized.

In article <9150@topaz.RUTGERS.EDU> hedrick@topaz.RUTGERS.EDU
(Charles Hedrick) writes:
>Careful system administrators use "find" to look at all setuid and
>setgid programs on a regular basis.  It's not a big chore.  That's
>what programs are for.

Your `find' has been doctored.

Your compiler has been hacked; when you compile it, it inserts code
that recognises itself and find.

Want more?  Ask Ken Thompson.

All you can decide is how much effort to spend on security.  The
more effort, the more security, but one approaches `secure' only
asymptotically.
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7690)
UUCP:	seismo!mimsy!chris	ARPA/CSNet:	chris@mimsy.umd.edu