Path: utzoo!attcan!uunet!cs.utexas.edu!tut.cis.ohio-state.edu!lisa.cis.ohio-state.edu!jgreely From: jgreely@lisa.cis.ohio-state.edu (J Greely) Newsgroups: comp.sys.next Subject: Re: Security and defaults. Message-ID: <51542@tut.cis.ohio-state.edu> Date: 9 Jun 89 04:19:58 GMT References: <4985@umd5.umd.edu> <43b721a8.19ac2@wasp.engin.umich.edu> Sender: news@tut.cis.ohio-state.edu Reply-To: J Greely Organization: Ohio State University Computer and Information Science Lines: 260 In article <43b721a8.19ac2@wasp.engin.umich.edu> hobbes@caen.engin.umich.edu (Steven J Mattson) writes: >From article <4985@umd5.umd.edu>, by feldman@umd5.umd.edu (Mark Feldman): [Mark's clear, reasonable discussion deleted] >You'd think with all of the possibilities available people in this newgroup -- Huh? >either directly here given that lots of people from Next participate or >through their sales reps -- to get their problems aired, that someone would >be able to civilly discuss their difficulties without baselessly ripping >into the company for self-gratification. Would you mind clarifying that? "Baselessly ripping into the company for self-gratification" might sound pretty, but I haven't the slightest idea what you're referring to. If you want civil discussions of problems, I could post the twenty-odd pages of bug reports I've sent since 0.9 arrived, and lots of people could go "Yup, I seen that one too." > This whole issue of security has >read like a study in ineptitude. Yes, I will back this up: Good thing, too. Otherwise I'd start questioning where the "ineptitude" is coming from. This "issue of security" is rather important to a large number of people. >1) Next is trying to produce a machine with native unix that has the ease > of use of a Macintosh. Well, that's one way of putting it. The pithier expression bandied about is "a networked Mac with an operating system." It's not meant to be insulting, but the impression we've gotten is that the Mac side is dominant. >Other than the lack of software, they've done >a fair job so far, but if people would stop flaming long enough to >point out problems than maybe it could be better. Uh, what flaming? I've seen people pointing out problems, but nothing that can really be considered a flame, unless it's what I'm replying to. >For example, allowing anyone who feels like it to change the system >time on a unix machine is incredibly stupid, I agree. So tell Next >to take it out or at least protect it from casual studipity. We did. Several other people did. One of them apparently had to deal with it one too many times, and, in his frustration, posted asking whether he was completely off-base in thinking it was a problem. He's not. >But as another example, allowing BuildDisk to run suid is not quite as >stupid, if your system is standalone on someone's desk. BuildDisk alone wouldn't be a real problem. It's the fact that I can make anyone else's machine boot off of my disk that is the problem. I walk into the lab, boot the machine off my disk, bring it up on the network, and read anyone's files that I care to. I don't know too many faculty who'd be pleased if we added this feature to an undergrad lab. >If you want to be able to initialize a disk, pop it in and do it. >Preventing people from building the disk they're currently booted off >of is more a concern. No, that's not a problem at all. If they screw up the current system disk, they can't *do* anything with it. They've made work for the administrators, but they haven't gained access to anyone's files. It's a problem I can live with, although I'd probably remove it if we ever installed NeXTs publicly. More to the point, why do people need to make bootable optical disks so easily? Just how many do you need? If the machine has a hard disk or netboot server, 0. For optical-only, 1. Data disks should be trivial (and they are), but I can't see any real call for a setuid BuildDisk. Justifications, anyone? >Next has consistently said that they want to hide the unix from people >as much as possible. Their machines come configured for standalone use, >with *absolutely nothing* restricted from the user who sets up the machine. I don't have a problem with this. In many respects I think it's a good idea. The problem comes when they change Unix into something else to make it easier to hide. >If this is how you leave the machine (and if you're not on a network, why >not?) then for the most part it is no easier or harder to trash than a Mac. Why not? Well, I guess it's my Unix blood, but data integrity has appeal for me. The default configuration under 0.9 lets *anyone* do anything. If I were to purchase a NeXT as a personal machine (which has crossed my mind), I would make the same changes to it that I make to the one in my office, if only because I like my files intact. >2) Even when on a network, Nexts are still set up to make network > configuration for a small homogeneous network as painless as possible. > I think this is as it should be if Joe Prof. is going to buy one. If a random professor buys NeXTs out of his research money, I agree that things should be simple. And it will work fine, as long as they speak only to each other. I have no problems with it at this point, and I'll be happy to help out. When they ask about connecting it to the rest of the department, they start to need that friendly Unix expert (cunningly disguised as campus support). When they ask about sharing files with non-NeXTs, they start to need their own Unix person. And so it goes. Eventually they get to sendmail... >Do you think he has >enough knowledge of unix to get the thing up and running in a massive >heterogeneous environment anyway? Not the Profs around here. Nor here, for the most part, but they don't need to. When they've had their machine running standalone for four months and suddenly want it on our network, *we* have to deal with how it integrates with the other machines we have. Pretty sysadmin tools don't help for that. We need to treat it as a Unix box. We need to handle routing (static routing is a typo under 0.9), sendmail (sendmail.cf and aliases were moved elsewhere without documenting the change), NFS (mount and umount don't work right once autodiskmount is started), accounts (NetInfo + YP + whatevercomesnext), and, most importantly, security (vaguely supported under 0.9). Not to mention finding out what they've customized. These are the things we (or at least I) pay attention to, and they're the ones that determine how we view the machine. No amount of design philosophy can hide the fact that someone, somewhere along the line, ends up dealing with it as a Unix machine. When it reaches that point, it's a good idea for it to be as normal as possible. That's why we didn't like the gratuitous filesystem reorganization in 0.8. >Gee, maybe that's why they wanted to have campus support people? Say it isn't so! :-) >3)There are two sets of people losing their heads consistently in this group. Three. >The first group can't wait to get their hands on sources so they can see >which calls Next used to write stuff, and then they'd probably complain >about the order of parameters or something of equal redeeming value. If this is what you think the source argument is about, you've successfully convinced me that we don't live in the same world. If you meant it to give me a case of the giggles, thanks. I needed it. >They said it wasn't going to happen unless you had a good reason, find one. You're leading us on, right? >Maybe if some of the overunixed >people smashed their heads into those of the underunixed we could all get >some work done. "overunixed?" "underunixed?" Where the bloody heck are *you*? "justrightunixedandproudaspunchaboutit?" Sounds that way... >Another example: Using the same software techniques that Sun administraters >use to prevent access to the singleuser boot, we've had Nexts in PUBLIC labs >for people to try out since late December. Every once in a while someone >would have to go reboot one (a 0.8 trademark) but the security of the machine >or the network was never an issue. Very impressive. So what happens when I sit down, halt the machine, diddle kernel memory, and continue with a root shell? What happens when I insert my carefully-prepared optical disk and take over a machine? If you run off opticals, what stops me from taking the boot disk from one, modifying it in another, and putting it back? Do your software techniques involve shutting off autodiskmount, stripping setuid from everything in sight, hacking rc.boot, and other "Unix-knowledge-required" methods? This is what it would take to stop the casual intruder, and as for the determined hacker, forget it. I'm not attacking you here, in fact I'd love to hear what you've done, but my concern is how much *more* needs to be done to secure a NeXT than a "normal" workstation. >4)Need I remind you all that we're talking about a BETA machine here. People >seem to keep forgetting that the software release they're running has a major >version number of "0". I can't forget. The number of times I have to reboot (averaging at least once a day) serves as a constant reminder. >As I see it, the whole point of this massive and >unprecedented beta test was to help them make a "final product" that would >better meet the needs of their market than anything that exists so far. (side note: one could say much the same about Word 4.0 on a Mac, but one would be deluded. Not necessarily relevant, but who knows?) Well, the result is that we've determined that we're not part of the market, at least for now. NeXT currently doesn't fit into our environment. We're still following the machine, making suggestions and reporting problems, but we're not buying. I have great hopes for 1.0, but my realistic expectations are more modest. Maybe they can still blow us away with the real release, but some people have given up believing. >In the >mean time all of you eager beavers could be looking for things that might >potentially harm the system and informing CALMLY both Next and the rest of >us so that we can take steps to protect ourselves from disaster. So who's not being calm? I've been very careful to restrain myself from posting some of my more volatile commentary (which I quite cheerfully discuss in email or in person). I don't recall anything particularly vitriolic from others recently, so maybe you're overreacting just a tad? >I think I've stated my point emough here. You all have a chance to >make a difference, but instead you spend all day flaming Next for I suggest using the on-line Webster's to look up "hyperbole". Also "flame". These should be sufficient for you to categorize your statement. >Everything you say either >applies to others vendors as well, or is a complaint about an attempt >Next has made to solve problems that other vendors have as givens. Nope. Many of them are particular problems that NeXT has introduced by trying to marry Macs with workstations. Attempting to satisfy both ends isn't easy, and my impression is that they lean towards the Mac end when a conflict arises. I have problems with that, since I'm sitting squarely among the workstations. >I've been just as pissed at the machine as any of you on occassion, >but they've said they're going to fix things so I report 'em and put >up workarounds for the users here. Part of my problem is that I have two categories of things wrong with the NeXT: things that don't work the way they're supposed to, and things that don't work the way I think they should. I can expect bugs to be fixed when I report them, but what do I do about something that is a deliberate design feature, and that works just fine? I might dislike it so much that I won't buy the machine, but it's going to be a lot harder to get fixed. I consider the modification to /bin/su to be *evil*, and if I didn't have 4.3 source it would be a serious problem. It's a feature, and I despise it with a passion. Will it get "fixed"? Wish I knew. >Real tough to do. Save your flames for worthwile problems. If I ever flame NeXT, you'll know it. Trust me. The times I've been really tempted, I've refrained mostly because it *is* pre-release, and they're trying hard to finish it. Not to mention that it wouldn't accomplish anything besides telling the world that I'm unhappy. >These are MY opinions, >if you don't agree with them, >piss off. Nice touch, for someone who complains about flaming. I suggest you take your own advice in this. -=- J Greely (jgreely@cis.ohio-state.edu; osu-cis!jgreely)