Path: utzoo!attcan!uunet!mcvax!ukc!dcl-cs!aber-cs!pcg From: pcg@aber-cs.UUCP (Piercarlo Grandi) Newsgroups: comp.sys.next Subject: Re: diskless NeXT? (was Re: Announcement vs reality) Summary: Another naive sys admin... Keywords: Next Message-ID: <267@aber-cs.UUCP> Date: 24 Nov 88 17:51:16 GMT References: <17846@glacier.STANFORD.EDU> <3638@pt.cs.cmu.edu> <28185@tut.cis.ohio-state.edu> Reply-To: pcg@cs.aber.ac.uk (Piercarlo Grandi) Distribution: eunet,world Organization: CS Dept., University College of Wales, Aberystwyth, UK Lines: 77 X-Disclaimer: Any statement is purely personal, and might be wrong. In article <28185@tut.cis.ohio-state.edu> bob@allosaur.cis.ohio-state.edu (Bob Sutterfield) writes: Heck no, large networked installations are everyone's problem :-) Hopefully there will be a way to ignore suid and sgid bits on filesystems mounted from the optical disk, at the very least. There are lots of other things to worry about. I'd want to completely disable booting from the floppy on a non-secure workstation. In a network environment, I'd want to completely disable booting from any local Winchester disk, as well. The only thing I'd worry about is adopting this heavy handed, ineffectual approach to network security. Please refer to comp.protocols.tcp-ip (and comp.unix.wizards). It has been repeated to the point of exhaustion that security in a networked environment is obtained by suitable protocol emanating from trusted bases, not by network based physical restrictions (some innocent soul even admitted that she had never thought that someone could easily start filtering packets on an ethernet for passwords), and people have expended vast research efforts on these issues. Projects Andrew and Athena have done a lot of good work on network security where there are thousands of non trusted machines around, and there are no restrictions on their use. Go and learn about them. gentle reader, please type n if you do not like mild flames on the performance and instincts of many system administrators. *MILD FLAME ON* Many sys admins with a delusion of "management" have a gut instinct that the best way to achieve something is by inconveniencing users and imposing restrictions. Well, not only this is unnecessary, it is also quite ineffectual, because it is easily circumvented in most cases, and certainly in the one this article is about. I have seen enough of the: There ought to be a LAW against *users* being allowed to *boot*, hitherto an arcane ritual only allowed to the inner sanctum! We must protect our privileges, even at the cost of pretending that by forbidding *users* (the five letters word) to do certain things real security will be achieved. attitude to be fed up. As somebody pointed out, the first thing new *users* are told at MIT is the root password and yet security is probably better there than in a network in which users cannot use the suid/sgid facility, and cannot boot their own machines from whatever disk they want; this probably means that sys admins at MIT are not obsessed with their status and power that they think that it is the key to every problem. I really *despise* system administrators that think that since they are the boss all problems can be most effortlessly resolved by dictum from above and display of authority, when the only problems are the limits to their knowledge and imagination. By the way, I have been a sys admin myself, on and off since 1977, for fairly large systems and then networks, and I have always felt confident enough of my quality to know that I could usually find a solution to most problems that does not restrict users' choices and options if only I thought a bit harder about it. I have never felt like playing the master wizard game, I did not have the time to spare to pose. *MILD FLAME OFF* -- Piercarlo "Peter" Grandi INET: pcg@cs.aber.ac.uk Sw.Eng. Group, Dept. of Computer Science UUCP: ...!mcvax!ukc!aber-cs!pcg UCW, Penglais, Aberystwyth, WALES SY23 3BZ (UK)