Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!blake!Tomobiki-Cho!mrc
From: mrc@Tomobiki-Cho.acs.washington.edu (Mark Crispin)
Newsgroups: comp.sys.next
Subject: Re: NeXT concerns
Message-ID: <669@blake.acs.washington.edu>
Date: 28 Jan 89 21:22:35 GMT
References: <4474@umd5.umd.edu> <32681@tut.cis.ohio-state.edu> <33@xenlink.UUCP>
Sender: news@blake.acs.washington.edu
Reply-To: mrc@Tomobiki-Cho.UUCP (Mark Crispin)
Organization: Mendou Zaibatsu, Tomobiki-Cho, Butsumetsu-Shi
Lines: 20

In article <33@xenlink.UUCP> deraadt@xenlink.UUCP (Theo A. DeRaadt) writes:
>I can just see a student bring in his optical disk, put it in, mount it,
>and run a setuid program on it. Now he's root. Fun stuff.

What difference does that make?

If you can mount your OD while having the SCSI filesystem booted, then
you needed root to run /etc/mount.  Of course, you could have booted the
NeXT from the OD (since it's *your* OD, presumably you know how to become
root on it) and then mounted the SCSI filesystem.

You don't even need an OD.  Just boot the system standalone and you're
root.

It's an utter fallacy to believe that an individual with physical access
to a NeXT (or any other computer) can't trivially become root on that
machine.

The problem is these cretins who believe in "trusted hosts" and that
being root on some workstation entitles one to root elsewhere.