Another reason why a few sources should come with binary licenses
BostonU SysMgr
root%bostonu.csnet at csnet-relay.arpa
Sun Sep 1 23:30:05 AEST 1985
Is this an unreasonable (or useless) place to air this? My hope is
some reasonable (most) people from ATTIS read this list. If not
send me a few flames and I'll shut up.
The argument thus far is that binary licenses to UNIX should always
come with a few sources because of various security and administrative
policies that a site might need to institute that shouldn't require
a full source license, among those mentioned were login.c. So far the
list has been:
1. The ULIMIT problem, modifying login.c is currently the
only effective way to raise ulimit above 2048 on SYSV.
2. Enforcing times when certain users can or cannot login,
or other variables (eg. load, free dialups available etc.)
This *could* be done via /etc/profile but I think most would
agree it belongs in login.
3. Schemes like if they type in N bad passwds hang the phone up,
maybe warn someone (the user or SA.)
Here's another one that was just brought up on the SECURITY mailing list.
If user's are not careful about password creation (and people are just
people) then a reasonably determined cracker can grab the encrypted string
in /etc/passwd and run it against dictionaries (this is all well documented
in "The Security of UNIX", I think that was Kernighan, sorry, working from
memory here.)
A trivial defense (used I believe years ago at Harvard and probably lots
of other source sites) was to make /etc/passwd a dummy file (so most
software is undisturbed) which does not contain encrypted strings but
otherwise is publicly readable. You then create another, unreadable,
copy (call it /etc/passwd.nr) with the strings. The only two programs
that I can think of that use those encrypted strings (as delivered) are
login.c and passwd.c, just modify those to use the unreadable version (easy.)
It would also be handy to have a script that can be run that builds the
readable from the unreadable when it is modified (easy.)
If need be, passwd.c could be re-written by any competent applications
programmer in an afternoon. Login.c is quite subtle and would be a bit
of a job to rewrite from scratch without having access to its source.
So, another sound argument I believe that certain software sources should
always be delivered with UNIX systems (hey, we're a University, we get
sources to all of this stuff, but my binary only PC7300 got me thinking.)
Now, another security/integrity problem on UNIX I would like to hear
a discussion on: /tmp. Let's face it, it's a problem (anyone can do
an 'rm /tmp/*', or fill it with junk, or usually read many files on
it.) How about considering a temporary file type (maybe by making /tmp
a device?) with some special rules (delete on last close, no name in
the visible file space except to root etc.) Of course any design should
be ignorable (transparently work the old way at sites that don't need it,
like my UNIX/PC.)
-Barry Shein, Boston University
More information about the Comp.unix.wizards
mailing list