Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Is Unix security really so weak?

Re: Is Unix security really so weak?

From: Jon LaBadie <jon_at_jgcomp.jvnc.net>
Date: 1997/04/09
Message-ID: <E8DqE0.M7q@jgcomp.com>#1/1 







In article <87lo6zpl9c.fsf_at_erlenstar.demon.co.uk>, Andrew Gierth <andrew_at_erlenstar.demon.co.uk> writes:


|> 

|> 

|> I've never used Solaris, but on HP-UX there was a group of people who's 

|> main aim in life was to find a new security bug in HP-UX every week. Most

|> of these, despite being publically announced, went unfixed for weeks or

|> months - and in some cases, the fix was then immediately broken by the 

|> same people.




UNIX has a public perception problem that is only partially deserved.
It is a quite open system with all the good and bad that implies.
One thing that happens is we "publicize" our warts.  Not saying that
is bad, just it is the situation.



Other OS' keep problems under wraps.  In a Sys Admin class I was
teaching several years ago one student complained about all the
defects I was mentioning these neophyte SA's should be concerned
with.  He said "I'm comming from a mainframe environment and we
never has anything like this."  Before I could respond another
student spoke up, bless her.  She said "Honey, you were a user,
not an administrator.  I was in OP's.  Every month, or more
often we got a large tape of software 'updates'.  Lots of those
were sucurity fixes."



|> This isn't so much a flaw in Unix, as simply not being sufficiently

|> defensive in programming.




I've a great example of this, the passwd(1) program.  A decade ago
I put in a defect report to AT&T.  Seems no checks of the fprintf
return codes were incorporated.  How often do you check printf?
Besides it was run as root, what could fail?



Anyway, one of my users set their ulimit to 0 and changed their
password.  The passwd program created a temporary new passwd file
of zero bytes size.  Renamed the original passwd file to opasswd
and renamed the tmp file to passwd.



Even root could not login.  No entry.  Couldn't even su to root.



jl

-- 
Jon H. LaBadie                  jon_at_jgcomp.com
 JG Computing                   jon_at_jgcomp.jvnc.net
 4455 Province Line Road        (609) 252-0159
 Princeton, NJ  08540-4322      (609) 683-7220 (fax)


Received on Wed Apr 09 1997 - 00:00:00 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US