Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!munnari!kre From: kre@munnari.oz (Robert Elz) Newsgroups: comp.unix.wizards Subject: Re: /etc/rc, security ... Message-ID: <1573@munnari.oz> Date: Wed, 22-Apr-87 09:55:35 EST Article-I.D.: munnari.1573 Posted: Wed Apr 22 09:55:35 1987 Date-Received: Fri, 24-Apr-87 01:13:16 EST References: <623@rna.UUCP> <439@uhccux.UUCP> Organization: Comp Sci, Melbourne Uni, Australia Lines: 47 In article <623@rna.UUCP> dan@rna.UUCP (Dan Ts'o) writes: > I did a PS on our 4.2BSD system today and found extra copies of > /etc/update, cron and a few other running, owned by one of our users. In article <439@uhccux.UUCP>, todd@uhccux.UUCP (The Perplexed Wiz) replies: > It seems that BSD releases are full of weird security holes as delivered. I'm not sure what your definition of a "security hole" is, but this doesn't fit mine. Its just a slightly silly setup, it doesn't allow anything at all that users couldn't do anyway. If I have an inclination to run /etc/update, but /etc/update is 700 mode (or similar), I just cp /usr/src/etc/update.c .; cc update.c; ./a.out and it runs. If I can do it that way (so the system staff can't even see that its update that's running easily) I can't see why I shouldn't just be able to do /etc/update. Its a bit of a dumb thing to want to do, but not a security hole. If the source is protected incidentally, then I just do cat <update.c main() { for (;;) sleep(60), sync(); } ! instead of the copy, and then continue. Exactly the same applies to cron .. having a user run it is a bit dumb, but not any kind of security hole. You might want to protect crontab rather than cron, so users can't see what processes you have cron run, but that's just obscurity security, and is only marginally useful. I should say that even given all that, I do recommend protecting cron, update, etc .. the type of user dumb enough to actually run one of those things is usually also dumb enough not to know any of the above techniques to get around the protection, and it does save wasting system resourses (an extra few copies of update running can limit the effectiveness of the buffer cache). kre