Path: utzoo!utgpu!watmath!uunet!xanth!nic.MR.NET!umn-d-ub!rutgers!labrea!bloom-beacon!mit-eddie!andante!att!bakerst!cgh!amanue!jr
From: jr@amanue.UUCP (Jim Rosenberg)
Newsgroups: unix-pc.general
Subject: Re: /etc/shutdown permissions
Message-ID: <440@amanue.UUCP>
Date: 30 Nov 88 06:03:25 GMT
References: <234@safari.UUCP> <1349@umbc3.UMD.EDU> <426@amanue.UUCP> <4272@encore.UUCP> <435@amanue.UUCP> <295@jhunix.JHU.EDU>
Reply-To: jr@amanue.UUCP (Jim Rosenberg)
Distribution: unix-pc
Organization: Amanuensis Inc., Grindstone, PA
Lines: 57

In article <295@jhunix.JHU.EDU> ins_anmy@jhunix.UUCP (Norman Yarvin) writes:
>In article <435@amanue.UUCP> jr@amanue.UUCP (Jim Rosenberg) writes:
>
>>... Good security means defense in depth.
>
>To quote Mark Twain: "Put all your eggs in one basket, and WATCH THAT BASKET!"
>This is the usual Unix metaphor for security: rectrict yourself to one level of
>defense, but make that level completely airtight.  For instance, /etc/passwd
>is readable by the world.  This is highly reasonable, as _the_ line of defense
>against password reading is the encryption of passwords.  None other is needed.
>And the readability of the password file has the mental-attitude advantage that
>it focuses effort on the need for an uncrackable encryption algorithm.

I suggest you take this up with AT&T.  Please tell them that they were full of
horse puckey when they put shadow passwords into SVr3[.1?  Too bad on the 3b1
we'll never see Vr3.anything.]  If you think that the encryption algorithm of
/etc/passwd is safe you are living in dreamland.  In possession of /etc/passwd
an algorithm to guess passwords will succeed if someone has used all kinds of
categories of obvious passwords.  The recent Worm succeeded something like 5%
of the time just by guessing passwords!!  The encryption algorithm is *NOT*
"_the_" line of defense.  crypt + poorly chosen password + public password file
== no security.  This is one of the reasons why AT&T has **DONE AWAY WITH**
publicly readable passwords.  Just to take this one example, a proper approach
to password security includes the following layers:

1.  Proper people procedures.  (Do not write down your password next to your
terminal, do not share your password with your co-workers, etc.)

2.  Well-chosen passwords.  This is currently being beaten to death on the net
right now.

3.  Password encryption.

4.  o-r on the shadow password file.  (/etc/passwd has all the fields that
tools like ls need; the password field is there but not used.)

That's 4 layers.  Defense in depth means plan each layer as if it were all you
had, then hope at least one of them holds.  I think what you are suggesting
is an invitation to disaster.  I think defense in depth is just plain common
sense.  I will be most interested if you can site a literature reference
showing where the defense in depth concept just plain doesn't work.

Now I'm not an expert, but I have read some of the literature, & I know that
there are some pretty smart people who make a convincing case that some
security procedures are counter-productive.  I've read a reasonable argument
against too much su logging.  I don't know if I agree with it, but a case was
certainly made.  But saying that the defense in depth concept makes no sense is
like saying if you keep your brakes in good repair having a quick reaction time
on the brake pedal isn't necessary.

So, I still stand by defense in depth.  *SHOW ME* a break-in that happened
that points out a genuine flaw in the *concept*.
-- 
 Jim Rosenberg
     CIS: 71515,124                         decvax!idis! \
     WELL: jer                                   allegra! ---- pitt!amanue!jr
     BIX: jrosenberg                  uunet!cmcl2!cadre! /