fix for login
Stan Johnson
johnson at EULER.JSC.NASA.GOV
Tue Mar 5 08:32:40 AEST 1991
Vernon Schryver writes:
> Silicon Graphics is a commercial, for-profit organization. The NFSNET and
> BARRNet acceptable use restrictions explicitly prohibit us from using the
> Internet or BARRNet for private gain. We can post things for the use of
> universities, other educational institutions, and non-profit research
> organizations. We cannot post them for others.
(...)
> It would be at best complicated to get our "for-profit" customers to sign
> such an agreement, and to ensure that only those who had signed and those
> who at "academic and research institutions" could get the fixed binary.
(...)
> It is one thing to bend the rules for security fixes in a new sendmail, or
> to blink at them with a sendmail that does MX, since all Internet email is
> supposed to be to or from "academic and research institutions" and so a
> fixed sendmail at commercial site helps the academics. A similar rational
> seems unlikely for fixing /bin/login at commercial sites.
I AM A LITTLE SURPRISED AT THE ABOVE REACTION FROM SGI TO THEIR CUSTOMERS'
VALID CONCERNS ABOUT SECURITY HOLES IN /bin/login. THE ABILITY TO CHANGE
ANOTHER USER'S PASSWORD BY SIMPLY GETTING ACCESS TO HIS OR HER ACCOUNT
THROUGH rlogin SEEMS A VALID ENOUGH SECURITY REASON FOR SGI TO DISTRIBUTE
A FIX. THERE MAY BE SOME GOOD REASONS NOT TO POST THE EXECUTABLE ON
sgi.com, BUT THAT DOES NOT DIMINISH THE NEED TO COMMUNICATE THE INFORMATION
TO CUSTOMERS IN ONE WAY OR ANOTHER.
AND I DON'T THINK REQUESTING A FIX TO A SERIOUS PROBLEM FOR WHICH THERE
IS A KNOWN FIX MAKES ANYONE A "SQUEAKY WHEEL", AS WAS SUGGESTED IN AN
EARLIER MESSAGE FROM SGI.
-STAN JOHNSON
(713) 483-4692
NASA / Johnson Space Center
email: johnson at euler.jsc.nasa.gov
More information about the Comp.sys.sgi
mailing list