Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!noao!arizona!naucse!bakerst!gladys!killer!sean
From: sean@killer.UUCP
Newsgroups: unix-pc.general,comp.sys.att,comp.unix.wizards
Subject: Re: Security problem on UNIX PC's
Message-ID: <1621@killer.UUCP>
Date: Thu, 24-Sep-87 13:58:26 EDT
Article-I.D.: killer.1621
Posted: Thu Sep 24 13:58:26 1987
Date-Received: Sat, 26-Sep-87 15:20:10 EDT
References: <54@quincy.UUCP>
Organization: The Unix(R) Connection, Dallas, Texas
Lines: 34
Keywords: security, root, problem, unix-pc
Xref: utgpu junk:5843 comp.sys.att:1125 comp.unix.wizards:4156
Summary: A couple fixes

In article <54@quincy.UUCP>, lenny@quincy.UUCP (Lenny Tropiano) writes:
> Security problem #2:
> 
> A lot of people keep "tutor" with no password and widely distribute their
> dialup number.  Tutor, a non-expert user, can't run the shell?! Or can they?
> Create a file in the Filecabinet, editor either "vi" or "ed" and do a ":!sh"
> in vi or "!sh" in ed, and wha-la!
> 

	This one's easy:  assign tutor a password! :-)

	There is also another way for tutor to get a shell.  While in Office
of tutor the user has only to type /bin/sh or /bin/ksh, and the User Agent will
run the shell.  This works for ANY user not having "EXPERT" status.  The pass-
word solution will keep unwanted folks from getting in as tutor, but I dunno
how one would prevent this security problem once tutor has logged in success-
fully.

> Security problem #3:
> 
> Mail setup... UUCP phone numbers and passwords in the L.sys file are normally
> protected so that NON-SUPERUSER people cannot hack them!  Go into mail setup
> (any user...even Tutor) and you can get all the necessary hacking information!

	My solution here was to edit /usr/lib/ua/Administration.  Remove any
entries from this file that you don't want everyone using, and put them in
the install login's personal Administration file (/u/install/Administration).
In fact, the only things I left in /usr/lib/ua/Administration are "Changing
Password" and "System Information"; I moved the rest to install's Administra-
tion.  As an extra measure of security on L.sys (or Systems, as the case may
be) I set the permissions to 640.  If you do this you'll have to change the
file's group to mail, so that the AT&T Electronic Mail software can read it.

							Sean