Path: utzoo!utgpu!water!watmath!clyde!wtr@moss.ATT.COM From: wtr@moss.ATT.COM Newsgroups: comp.unix.aux Subject: Re: Security on A/UX Message-ID: <34192@clyde.ATT.COM> Date: 3 Oct 88 17:16:07 GMT References: <3242@emory.uucp> Sender: mjs@clyde.ATT.COM Reply-To: wtr@moss.UUCP (Bill Rankin) Organization: AT&T Bell Laboratories, Whippany NJ Lines: 61 In article <3242@emory.uucp> km@emory.uucp (Ken Mandelberg) writes: >We are starting to think about using A/UX for student Unix workstations >in our lab. One concern in this environment is security. There are >probably lots of issues to consider but the first one that comes to >mind is the floppy disk. >1) It would seem that a student could do mischief by putting in a MacOS >systems floppy and pushing reset. Once in MacOS he could have his way >with the hard disk. Is there a way to disable boots from floppy without >physically disconnecting it? Disable reset? Or lock the main cabinet away. If you don't need to allow the students access to the main console, then just run dumb terminals off the box and lock it up. >2) Even from A/UX the floppy is a problem. It seems a shame not to >allow students to have small personal filesystems on floppy, but if >mount access is allowed there is little to stop the student from >presenting a file system with a setuid program on it. I guess the thing >to do here is write a setuid frontend to mount that does a fsck, mounts >only in a prescribed place, and searches the floppy for setuid >program. another possible solution would be to show the students how to use cpio to backup a filesystem (their own) then a student could just carry around a disk with their files on it, and move them easily between machines. not as "neat" as mounting the floppy, but safer and also a lot faster disk access for the student once they've uploaded. >What are the other security issues to consider? a similar problem as #1, but with the student gaining root privlege by rebooting the machine and bringing it up single user. also, if you are going to be using this setup for homework/class assignments where the students are all doing individual work of an identical nature (e.g. "problem #5 on page 69 of your text"), then it's a good idea to warn students to set their file access to 700 (rwx------) to prevent the 'shared homework' syndrome. i'm not real familiar with A/UX, having only played with it a couple of times. however, these problems are inherent in any small pc-base-unix/workstation where the user has access to the hardware itself. ( I'm running microport SV/AT on an AT-clone ). good luck with it! hope this has helped. >Ken Mandelberg | km@mathcs.emory.edu PREFERRED ===================================================================== Bill Rankin Bell Labs, Whippany NJ (201) 386-4154 (cornet 232) email address: ...![ att ulysses allegra ]!moss!wtr ...![ att akgua watmath ]!clyde!wtr =====================================================================