Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Is Unix security really so weak?

Re: Is Unix security really so weak?

From: Andrew Gierth <andrew_at_erlenstar.demon.co.uk>
Date: 1997/04/04
Message-ID: <87lo6zpl9c.fsf@erlenstar.demon.co.uk>#1/1 







>>>>> "Peter" == Peter Luckock <luckock_at_enternet.com.au> writes:



 Peter> Hi. 
 Peter> As an end-user I need access to Oracle SQL*Plus on a
 Peter> SUN/Solaris installation (sorry, I don't have version
 Peter> details). And a home directory. Nothing more.

 Peter> But wait! The Unix admin/support unit at my workplace tell me


 Peter> that what I'm asking for is impossible, "for security
 Peter> reasons".



Haha.


 Peter> I'm now being told that NO user account in Unix is safe - that
 Peter> no matter how many controls are implemented by the superuser,
 Peter> even a humble end-user account could be used successfully to
 Peter> crack them all and evade detection. And the risk of this
 Peter> happening is serious enough to be of concern to auditors.

 Peter> I find this all rather implausible, especially for an OS
 Peter> that's been kicking around for 20 years. You'd think that


 Peter> companies like SUN would be very quick to plug any holes as
 Peter> big as that.



I've never used Solaris, but on HP-UX there was a group of people who's 
main aim in life was to find a new security bug in HP-UX every week. Most
of these, despite being publically announced, went unfixed for weeks or
months - and in some cases, the fix was then immediately broken by the 
same people.



Almost all of them were buffer overruns or file overwrites - programs with
root privilege that could be fed bogus data to make them do strange things.



This isn't so much a flaw in Unix, as simply not being sufficiently
defensive in programming. Quite a lot of it is "C Programmer's Disease" -
the use of arbitrary-sized arrays, buffers etc.


 Peter> Or, if my colleagues are right and Unix "security" is really
 Peter> an illusion, then why do we still use it? (How did the
 Peter> auditors ever approve it?)





 Peter> Perhaps it's just another case of the old "sorry, can't be
 Peter> done" excuse?



It may well be more work for the admins (keeping up with security patches,
etc.) maintaining the level of security they wish if they have to cope
with local shell users (a large proportion of security holes require a
local account).


-- 
Andrew.


Received on Fri Apr 04 1997 - 00:00:00 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US