Path: utzoo!attcan!uunet!pyrdc!pyrnj!rutgers!mit-eddie!apollo!mishkin From: mishkin@apollo.COM (Nathaniel Mishkin) Newsgroups: comp.sys.apollo Subject: Re: some questions for the gurus. Message-ID: <3e720b36.c6f9@apollo.COM> Date: 13 Sep 88 16:25:00 GMT References: <8809081356.AA00196@caen.engin.umich.edu> Reply-To: mishkin@apollo.com (Nathaniel Mishkin) Organization: Apollo Computer, Chelmsford, MA Lines: 45 In article <8809081356.AA00196@caen.engin.umich.edu> frank@CAEN.ENGIN.UMICH.EDU (Randy Frank) writes: >It's always fun when flames start up on a list... Seemed like the fire was going out so I guess I'll have to give the embers a nudge... >I fundamentally disagree with those who state that security is a binary issue: if >you can't have perfect security, then why have any at all is b.s. I don't really disagree with this statement and the point of my previous message was more to heighten people's awareness rather than tell them that the situation is hopeless. I'm a little uncomfortable with the "we've lived with vanilla BSD Unix security for years and it's been OK" argument for two reasons. First, I think it's really not good enough; I don't think that you have to be all that much of a wizard to defeat it. (I get the willies thinking about PC's that can do TCP/IP plugged into my internet. Ports less than 1024 reserved to privileged processes? Hah. Keeping a list of "trusted hosts" in a network of 50 or more machines. I don't think so.) Second, I don't see how Apollo (or any other company selling to people who have any inkling of what's really required to make a network truly secure) can in good conscience promote something as being even "pretty secure" when we all know that it would take someone with only moderate skills a day or so to defeat the system's "security". But back to the particular problems raised in this discussion: the signalling of processes you don't own and the shutting down of nodes. As Jim Rees said, the signalling issue is fixed in sr10 so that you have to be root or the same ID as the target process to be able to signal it. As far as shutdown goes, Jim said something like "You can just turn the power off so what good does it do to require special privileges to execute the DM's SHUT command." The counters to that seemed to be "But look at the problems caused if you let randoms shut down nodes", which misses the mark. Of *course* it can cause problems, but the fact of the matter is that the node is sitting on someone's desk and if he *wants* to cause problems, he'll just shut the power off -- he doesn't need to be able to issue the SHUT command. If the retort here is "We have stupid users that might *accidently* issue the SHUT command", well, all I can say is if enough people think that's a real problem, shout now and I'm sure we'll do something about it. -- -- Nat Mishkin Apollo Computer Inc., Chelmsford, MA mishkin@apollo.com