Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!cmcl2!nrl-cmf!ames!ucbcad!ucbvax!E.MS.UKY.EDU!david From: david@E.MS.UKY.EDU (David Herron E-Mail Hack) Newsgroups: comp.protocols.tcp-ip Subject: Re: Ethernet Bridge Message-ID: <8711070425.AA10823@ucbvax.Berkeley.EDU> Date: Mon, 2-Nov-87 16:49:14 EST Article-I.D.: ucbvax.8711070425.AA10823 Posted: Mon Nov 2 16:49:14 1987 Date-Received: Mon, 9-Nov-87 02:39:33 EST Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 40 Well ... the only hole which I know by heart is the following situation. You have someone with a workstation and he has the root password for his workstation. He also has some local disk storage. He makes a setuid shell on his local disk. Then he goes over to another system and executes his shell, thus giving him root on that system. In our case we use equiv hosts to simplify a lot of things, but don't use fully transitive equivalancies in a lot of cases. The reason this is a hole has to do with Unix using a simple integer to encode the user id ... If there were some sort of indication of the host that the user id pertained to ... Oh, in the particular situation, the user MUST have root access to his own workstation so that he can properly do his research. Fortunately he's a nice guy ... :-) For a good time read section 2.2.2. of Suns NFS Protocol Specification. It talks about the above bug and others. As for using an IP gateway for security ... Well, consider me something of a beginner in TCP/IP issues. But I still have to manage the local end of our net, and give advice to the people around me. I understand enough that the idea of a gateway knowing that a certain class of IP numbers can only come from one side of the gateway makes sense. But this source routing stuff which someone mentioned is unfamiliar territory to me. I've been reading the discussion about source routing and know that it apparently only applies to token ring. However, it seems that if there is to be support for source routing in the kernal, then you could use it from any sort of network hardware. Is the idea with source routing to encapsulate an IP packet inside another one which is addressed to a gateway machine, and the encapsulating packet says where to send the encapsulated packet? The use of IP gateways to wall off sections of the net to contain IP storms makes sense ... We may set things up that way ... does anyone have any recommendations on a good IP gateway? -- <---- David Herron, Local E-Mail Hack, david@ms.uky.edu, david@ms.uky.csnet <---- {rutgers,uunet,cbosgd}!ukma!david, david@UKMA.BITNET <---- "The market doesn't drop hundreds of points on a normal day..." -- <---- Fidelity Investments Co73D X473D