Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!ukma!nrl-cmf!ames!sgi!vjs
From: vjs@rhyolite.SGI.COM (Vernon Schryver)
Newsgroups: comp.bugs.4bsd
Subject: Re: bin owns stuff (was: Installing 4.3-Tahoe on a VAX)
Summary: bin is a risk
Message-ID: <21791@sgi.SGI.COM>
Date: 12 Sep 88 23:43:00 GMT
References: <26049@ucbvax.BERKELEY.EDU> <5416@zodiac.UUCP>
Sender: daemon@sgi.SGI.COM
Organization: Silicon Graphics Inc, Mountain View, CA
Lines: 23

In article <5416@zodiac.UUCP>, jordan@zooks.ads.com (Jordan Hayes) writes:
- Keith Bostic <bostic@BERKELEY.EDU> writes:
- 	Since you can't log in as "bin" (it has no password) this
- 	shouldn't be an issue.
- 
- Yes, but root equivalence is governed by /.rhosts, but "bin" equiv.  is
- governed by /etc/hosts.equiv ... and we all know that "rsh csh -i" is
- as good as "rlogin" for most tasks ...

Yes.  Why change?

Some people, outside BSD, have long thot everything should be owned by
'bin' and not uid=0.  This belief seems common in System V land.
Someone long gone from SGI brought it to IRIS's.  I have had occassion
while working in SGI's internal network to exploit variations of this
hole--the usual case where someone is absent but their machine is doing
terrible things to the net, not receiving mail, or whatever.  Having
bin own things is a Bad Idea if you want to keep people out.  Is there
some risk with making root own everything?

Vernon Schryver
Silicon Graphics
vjs@sgi.com