Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!diplodocus.cis.ohio-state.edu!jgreely From: jgreely@diplodocus.cis.ohio-state.edu (J Greely) Newsgroups: comp.sys.next Subject: Re: NeXT concerns Message-ID: <32926@tut.cis.ohio-state.edu> Date: 28 Jan 89 23:31:00 GMT References: <4474@umd5.umd.edu> <32681@tut.cis.ohio-state.edu> <33@xenlink.UUCP> <669@blake.acs.washington.edu> Sender: news@tut.cis.ohio-state.edu Reply-To: J Greely Organization: THE Ohio State University, CIS Dept. Lines: 47 In article <669@blake.acs.washington.edu> mrc@Tomobiki-Cho.UUCP (Mark Crispin) writes: >It's an utter fallacy to believe that an individual with physical access >to a NeXT (or any other computer) can't trivially become root on that >machine. This is *mostly* true at the moment, and is due to the current design of most workstations. It is not, however, a universal truth, and should not be treated as such. After much pounding, Sun has finally released a PROM that purports to disallow low-level mucking, and has added the option to force the use of a password to boot single-user in SunOS 4.0. We don't have the combination here yet, but I'd love to attack them when we do. I have a feeling it won't be quite so trivial to exploit that set of holes. We'll have to use the *other* holes. >The problem is these cretins who believe in "trusted hosts" and that >being root on some workstation entitles one to root elsewhere. Who cares about trusting root? Bluntly, I can do almost as much damage with a machine that is trusted for non-root access only. Is it trusted for rlogin? rsh? rexd? yp? All known potential problems, all vulnerable to one person getting root on a networked workstation. Cretins, Mr. Crispin? Only if we believe that not trusting root from a workstation will solve our security problems. From any one of our 250+ workstations, I can remove the files of every user on our network. Not one of those workstations is trusted by any other as root. Sure, trusting root would make it easier for an unscrupulous undergrad (or an alliterative administrator, for that matter) to cause damage, but it's foolish (cretinous?) to imply that the only way to abuse a network is through global root access. But I've got more concerns than trashing user file systems. I'm not sure that Kerberos is the way to go, or as useful as they claim. Anyone remember the recent hate mail incident involving Nancy Gould? The mail was sent from some anonymous person who'd logged in as root at a public workstation at MIT and telnet'd to the SMTP port of her machine. Guess you don't need to be authenticated to make use of worldwide network services. Makes my little heart just *glow* with anticipation. -=- J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely) The Ohio State University, Department of Computer and Information Sciences