Userid conventions

mark at ems.UUCP mark at ems.UUCP
Sun Mar 15 05:27:06 AEST 1987 

	Ok, I have seen a lot of conversations about the security of
	unix signons lately.  It would seem that protecting a signon
	can be done in two different ways.  The first of these is by
	protecting the password of a given signon.  This is the more
	traditional way to protect a signon.  The second way is to 
	attempt to make the signon itself more secure.  On a system
	where the userid is used for so many different things such
	as mail, there is a problem with attempting to protect the
	userid.

	Another consideration here is that even if the signons are
	protected, there are several signons that are pretty generic
	on all Unix systems.  Uucp, lp, and adm are a few that come
	to mind.  Changing these may break some utilities that have
	these id's hardcoded.  Besides, most of the security related
	information that I have read has stated that most of the
	security breaches come from inside the company, not from
	malicious hackers on the outside.

	If we assume that this statement is true, then this opens
	a whole new set of issues.  For example, if a person has
	a signon, how are you going to ensure security.  Commands
	like su begin to look like major problems, especially since
	you do not need to know a user id in the first place.

	If you want a secure system you will need to go to more
	dramatic extremes than using obfusticating user id's.
	If you want to protect the system from the outside, don't
	put modems on your machine.  This will gaurentee that
	outside people will not call in and gain access your machine.
	If you cannot do this, granted it is extreme, go to a call
	back scheme.  This can be circumvented using call forwarding
	these days, but once again, this requires that someone that
	is allowed to call in has allowed a phone to be forwarded.

	Granted system security is a problem, but making the system
	harder to use is not a good security practice.  This will
	cause frustration from your users and will actually promote
	LESS security, not more.

-- 
Mark H. Colburn          mark at ems.uucp      
EMS/McGraw-Hill          {rutgers|amdahl|ihnp4}!{dayton|meccts}!ems!mark
9855 West 78th Street     
Eden Prairie, MN 55344   (612) 829-8200 x235

More information about the Comp.unix.wizards mailing list