Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site cyb-eng.UUCP Path: utzoo!linus!philabs!cmcl2!seismo!ut-sally!cyb-eng!bc From: bc@cyb-eng.UUCP (Bill Crews) Newsgroups: net.followup Subject: Re: Unix from a snob's point of view! Message-ID: <767@cyb-eng.UUCP> Date: Tue, 29-Oct-85 19:02:00 EST Article-I.D.: cyb-eng.767 Posted: Tue Oct 29 19:02:00 1985 Date-Received: Thu, 31-Oct-85 08:48:15 EST References: <298@weitek.UUCP> <951@enea.UUCP> <47@hadron.UUCP> Distribution: net Organization: Cyb Systems, Austin, TX Lines: 97 > In article <951@enea.UUCP> sommar@enea.UUCP (Erland Sommarskog) writes: > >In article <298@weitek.UUCP> mmm@weitek.UUCP (Mark Thorson) writes: > >>3. Unix security is eggshell-thin. In practice, Unix is usually run about > >> as securely as other OSes. But it is intrinsically easy to break. ... > >Yes, this an very severe problem. (Not only for Unix, but most other OS's > >are at least a little safer. > > I can't believe that this bald statement has gone this long > unchallenged. > UNIX, on the other hand, has > been chosen as the base for almost every non-Multics attempt > at a provably secure OS. It has a lot of great security > capabilities. Ouch! Hot flame! > Security, however, is mostly a matter of human behaviour. It > doesn't matter what safeguards I put in the software if I leave > the key in the machine, which is sitting in the hallway, and > tape the super-user password on the console so I can remember > what I changed it to ... five years ago. > > How many of you who complain about security enforce password > aging? How many enforce passwords, for goodness' sake? [These > are rhetorical questions, N O T a survey!] How many have > changed the wizard password in sendmail.cf? How many have even > removed Other and Group write permissions from /etc/passwd and > properly use groups to separate users? Agreed, of course. > I will say this in favour of the original position. Unix was > originally written to be used in a trusted community, so it is > delivered with a lot of protections off. But if people spent > 1/10 the time fixing protections and tightening human security > policies that they do complaining about Unix security, they > would have little (if anything) to complain about. You give too little weight to the significance of a closed system that must be opened versus an open system that must be closed. It is difficult to figure out exactly how all those doors need to be closed. > I hereby challenge anybody to hand me a Unix source system, and > in a short time I will have it "reasonably" secure. (There is > no such thing as "absolutely" secure.) You supply a (resonable) > definition of "reasonable". [E.g., provable and multi-level are > not reasonable, for a vanilla Unix, unless you want to put us on > contract.] Even if you have put holes in the system, as long as > you give me the original tapes (let's be reasonable!) I believe > I can do this. It doesn't matter if you can do this or not if system security isn't designed in such a way that people will tend to use it correctly. If security is insufficiently flexible, people will try to kluge their security. If kluging becomes a hassle, as it often does, people tend to refrain from messing with it. That's human nature. > I guess I should puncture my ego trip and say this challenge is > addressed to the ordinary system manager such as those who made > the above complaints. It's not addressed to the many people > who are much cleverer in this area than I am, such as the people > at ucla-security, any of the kernelised secure OS projects, MI#, > Ft. Meade, Langley, Ken or Dennis or Brian or ..., or all those > who taught me all I know but not all they know. But I would be > willing to accept even a reasonable challenge from any of them, > on the understanding that I know they will probably do something > I can't find in a "short" time. Getting a little chicken now, huh? :-) > I should also put a time limit on this, and accept only serious > offers, because I am not going to spend all the rest of my life > fixing security on Unix systems. > > Joe Yao hadron!jsdy@seismo.{CSS.GOV,ARPA,UUCP} I don't intend to supply you with a challenge. I don't personally know a system that is ideally flexible in its security. Those that seem to come closest are those that define classes of resources and classes of users. Any resource can be in any number of classes, and any user can be in any number of user classes. Then, a mapping of user classes and resource classes can be made. These are often referred to as ACLs, or access control lists. The system as delivered has only one class of each, that of system administrator class and system resource class. It is then up to the system administrator to open up the rest of the system by including resources and users in classes and then creating ACLs. This isn't perfect, either, of course. And all this must sit atop something better that rwx. But that is another story. I'm not saying Unix security is so bad, but it seems to me your indignation is uncalled for. -- - bc - ..!{seismo,topaz,gatech,nbires,ihnp4}!ut-sally!cyb-eng!bc (512) 835-2266