Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs@encore.com From: bzs@encore.com (Barry Shein) Newsgroups: comp.unix.wizards Subject: Re: Unix security suggestion Message-ID: <4245@encore.UUCP> Date: 19 Nov 88 22:24:48 GMT References: <8064@bloom-beacon.MIT.EDU> Sender: news@encore.UUCP Reply-To: bzs@encore.com (Barry Shein) Organization: Encore Computer Corp Lines: 73 In-reply-to: scs@athena.mit.edu (Steve Summit) From: scs@athena.mit.edu (Steve Summit) >One of the disturbing things about Unix security is that bugs in >the protection mechanisms tend to be catastrophic: they don't >just let you do some little unintended thing; more often than not >they let you do anything, as root. I don't know why you imply that somehow unix is more susceptible to such security bugs than other systems, do you base this on anything or did it just sound good at the time? I can list various serious security bugs that have cropped up in other O/S's just as inherent to their design, or misfeatures. >Of course, in Computer Science, as in Mathematics, as in Nature, >everything drains towards 0, so the fact that uid 0 is both the >superuser and the most likely accidental value can be seen as an >invitation to disaster. > >If only the kernel tested for superuser status neither with > > if(!u.u_uid) > >nor with > > if(u.uid == 0) > >but with > > if(u.uid == SUPERUSER) I'm not sure I go along with your theory that zero is the most common random number or whatever it was you were postulating. Actually, modern kernels use an suser() boolean function, although I'll guarantee you a lot of utilities do assume the superuser id is 0. It can be done but someone will have to demonstrate the effectiveness of bothering. In the current panic/mob-mentality mode I see on this list tho it will hardly need justification, every stupid idea ever thought of will be implemented somewhere. The real "problem" with Unix is simple: Unix, for many years of its life, was a maverick system supported by basically no one although hacked on by many. Now suddenly in the last year or two everyone woke up (IMHO) and decided that Unix is was right all along. That's very nice, but the years of malice and neglect show at this point. It's too bad that people wasted billions and billions on brain-damaged upper-case operating systems for so many years (and still do) and sneered at Unix but that's history, you can't retrieve the money they wasted although some of those folks oughta be vilified for their myopia, most of them are probably too busy declaring themselves Unix gurus. Unix wasn't exactly ignored either, it was the victim over the years of many carefully constructed campaigns to destroy it, the most vicious of which involved vigorous vendor attempts to get people who brought Unix into shops fired. Most of them today take out full page ads declaring themselves to be *the* Unix vendor. Maybe folks are venting their anger at the wrong folks. Sun for example didn't screw you, they saved you by demonstrating to the world that Unix can be good business and legitimizing it. At least you're on a reasonable path now to get some work done and shop for the hardware you need rather than what's shoved down your throat. Give it a few years and maybe these problems will be solved, and most likely with it Unix will become expensive... -Barry Shein, ||Encore||