Path: utzoo!utgpu!attcan!uunet!steinmetz!davidsen From: davidsen@steinmetz.ge.com (William E. Davidsen Jr) Newsgroups: comp.unix.xenix Subject: Re: Security Keywords: Security Message-ID: <11899@steinmetz.ge.com> Date: 18 Aug 88 18:14:47 GMT References: <4@raider.UUCP> Reply-To: davidsen@crdos1.UUCP (bill davidsen) Organization: General Electric CRD, Schenectady, NY Lines: 30 What you need for security falls into a number of areas. uucp security was addressed in my posting of a few days ago (I absolutely can't mail any more copies), so here are a few more ideas. For shell you could run Korn shell (ksh). By setting the PATH variable and then making it readonly, and using the restricted shell, you can control what can be executed. For an editor, I use microemacs in restricted mode. This allows me to set which command I allow, and to tailor the key maps any way I want. Finally you can use chroot to place the user in a virtual machine. There are some problems with this as far as having multiple copies of software, or having news in its own partition, etc. I run guest users in a restricted shell, but at one time I had a complete environment accessable to any caller. I won't claim it was bulletproof, but in a year no one broke out. You have to find a balance between having great security and the time it takes to administer a secure system. Someone has to check fancy logs if you add them, to keep copies of software in sync, to add and delete things in the secure environment, etc. I don't have all the answers, but if you find some way to have a secure system which isn't more trouble to support, do let me know. -- bill davidsen (wedu@ge-crd.arpa) {uunet | philabs | seismo}!steinmetz!crdos1!davidsen "Stupidity, like virtue, is its own reward" -me