Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!amdcad!ames!ucbcad!ucbvax!ucdavis!caldwr!kwongj
From: kwongj@caldwr.caldwr.gov (James Kwong)
Newsgroups: comp.sys.apollo
Subject: Re: Network Security (turing off kill in csh)
Message-ID: <123@caldwr.caldwr.gov>
Date: Thu, 29-Oct-87 13:18:23 EST
Article-I.D.: caldwr.123
Posted: Thu Oct 29 13:18:23 1987
Date-Received: Tue, 3-Nov-87 07:34:33 EST
References: <2359@super.upenn.edu> <5087@utah-cs.UUCP>
Organization: California Department of Water Resources
Lines: 51
Summary: Kill/sigp problem

> > On an generic 4.2 system, kill will not allow you to signal processes that
> > you do not own; however, under DOMAIN/IX (SR9.5) I seem to be able to kill
> > any process that I choose (even processes owned by root !!!). Is there any way
> > to turn off kill in the c-shell ??? Is this a bug in DOMAIN/IX ??? Is there
> > a way around this problem other than giving remote users an AEGIS shell ??
> > 
> 
> The lack of process security (except for the DM) has been a problem since
> day zero (actually day SR6, when CRP was invented).  Restricting remote
> users to the Aegis shell doesn't really help, because they can still go
> blasting away with "sigp".
> 
> I wouldn't be surprized if SR10 fixed this, but it's been a "known bug"
> for some time.
> 
> Cheers,
> jp
How about:  Write a script/program call "kill/sigp" Rename the real kill
and sigp to something else. In the new "kill/sipg" do the following:
Get the paramenter(s) passed to it. Parse it for PID/UID and other options
Do a ps -auxN . Obtain the environment variable of the username. Compare
the enivronment name with the user name obtained from the "ps -auxN".If the
names match, call the real kill/sigp with the parameters. Otherwise print 
error message. You may have to do something about the real kill/sigp so that
they are "hidden" from normal users....

We're running SR9.5 also and have noticed other minor security problems 

I noticed that the "/com/edacct" was set so every/anyone could execute
it no matter which security option you picked (open, personal, system).
This allows you to change account info. like password locally and then
to propagate it across network later. You have to re-acl it so only
sys_admin or root can invoked it.

You can also "crp" or "rlogin" to another node and issue the "halt" 
command. This will cause the node to shut down to the debugger level.

I been hearing rumors that Apollo may go to a more "native UNIX" later.
Cross your fingers.


James Kwong                            
1416 9th Street Rm. 249
Sacramento, CA 95802
(916) 322-9430
Calif. Depart. of Water Resources     ucdavis.edu!caldwr!kwongj (Internet)
                                     ...!ucbvax!ucdavis!caldwr!kwongj (UUCP)

Disclaimer:
         The opinions expressed above are mine, not those of the State
         of California or the California Department of Water Resources.