Xref: utzoo unix-pc.general:382 comp.sys.att:2529 Path: utzoo!mnetor!uunet!umbc3!alex From: alex@umbc3.UMD.EDU (Alex S. Crain) Newsgroups: unix-pc.general,comp.sys.att Subject: Re: Major security problem in the UA: looking for a real fix Message-ID: <794@umbc3.UMD.EDU> Date: 15 Feb 88 02:29:25 GMT References: <1023@woton.UUCP> <2017@bsu-cs.UUCP> <118@bergy.UUCP> <114@hodge.UUCP> <184@shlepper.ATT.COM> Reply-To: alex@umbc3.UMD.EDU (Alex S. Crain) Organization: University of Maryland, Baltimore County Lines: 33 Keywords: UNIX PC, UA, security hole In article <184@shlepper.ATT.COM> andys@shlepper.ATT.COM (a.b.sherman) writes: >In article <114@hodge.UUCP>, rusty@hodge.UUCP (Rusty Hodge) writes: >> [Description of several well known holes in the UA] >> >> Let's face it: the UA is *evil*. Get rid of it. >But what if you like the convenience of the UA and multiple windows? [solution involving super-group deleted] System security is a very real problem that doesn't have a quick & dirty (or quick and clean) solution. Unix is an open system with security holes up the wazoo, and closing the obvious ones only make the problem more subtle. Sorry, but someone who needs to ask about what to do with the UA simply isn't qualified to do battle with a experianced hacker, period. A large hidden issue is this: If a system admin closes all the holes that he knows about, then he won't have any idea how the hacker broke his system. So this approch doesn't work. The stock solution, regularly used for anonymous ftp, is to have two groups of users, trusted and not trusted. Trusted users are given a free run of the system, non-trusted users (guest logins, etc) get a restricted shell and very limited access to the system (see rsh(1)). Since a 3b1 will only support a few users, this should work for most cases, and after all, If I don't trust someone enough to think that he won't trash my system, who cares if he gets windows or not? For LANS and educational facilities, I prefer logs and traps that track problem users instead of barriers, but thats off the subject, really. -- :alex. nerwin!alex@umbc3.umd.edu alex@umbc3.umd.edu