Path: utzoo!utgpu!watmath!uunet!xanth!nic.MR.NET!umn-d-ub!rutgers!labrea!bloom-beacon!mit-eddie!andante!att!bakerst!cgh!amanue!jr From: jr@amanue.UUCP (Jim Rosenberg) Newsgroups: unix-pc.general Subject: Re: /etc/shutdown permissions Message-ID: <440@amanue.UUCP> Date: 30 Nov 88 06:03:25 GMT References: <234@safari.UUCP> <1349@umbc3.UMD.EDU> <426@amanue.UUCP> <4272@encore.UUCP> <435@amanue.UUCP> <295@jhunix.JHU.EDU> Reply-To: jr@amanue.UUCP (Jim Rosenberg) Distribution: unix-pc Organization: Amanuensis Inc., Grindstone, PA Lines: 57 In article <295@jhunix.JHU.EDU> ins_anmy@jhunix.UUCP (Norman Yarvin) writes: >In article <435@amanue.UUCP> jr@amanue.UUCP (Jim Rosenberg) writes: > >>... Good security means defense in depth. > >To quote Mark Twain: "Put all your eggs in one basket, and WATCH THAT BASKET!" >This is the usual Unix metaphor for security: rectrict yourself to one level of >defense, but make that level completely airtight. For instance, /etc/passwd >is readable by the world. This is highly reasonable, as _the_ line of defense >against password reading is the encryption of passwords. None other is needed. >And the readability of the password file has the mental-attitude advantage that >it focuses effort on the need for an uncrackable encryption algorithm. I suggest you take this up with AT&T. Please tell them that they were full of horse puckey when they put shadow passwords into SVr3[.1? Too bad on the 3b1 we'll never see Vr3.anything.] If you think that the encryption algorithm of /etc/passwd is safe you are living in dreamland. In possession of /etc/passwd an algorithm to guess passwords will succeed if someone has used all kinds of categories of obvious passwords. The recent Worm succeeded something like 5% of the time just by guessing passwords!! The encryption algorithm is *NOT* "_the_" line of defense. crypt + poorly chosen password + public password file == no security. This is one of the reasons why AT&T has **DONE AWAY WITH** publicly readable passwords. Just to take this one example, a proper approach to password security includes the following layers: 1. Proper people procedures. (Do not write down your password next to your terminal, do not share your password with your co-workers, etc.) 2. Well-chosen passwords. This is currently being beaten to death on the net right now. 3. Password encryption. 4. o-r on the shadow password file. (/etc/passwd has all the fields that tools like ls need; the password field is there but not used.) That's 4 layers. Defense in depth means plan each layer as if it were all you had, then hope at least one of them holds. I think what you are suggesting is an invitation to disaster. I think defense in depth is just plain common sense. I will be most interested if you can site a literature reference showing where the defense in depth concept just plain doesn't work. Now I'm not an expert, but I have read some of the literature, & I know that there are some pretty smart people who make a convincing case that some security procedures are counter-productive. I've read a reasonable argument against too much su logging. I don't know if I agree with it, but a case was certainly made. But saying that the defense in depth concept makes no sense is like saying if you keep your brakes in good repair having a quick reaction time on the brake pedal isn't necessary. So, I still stand by defense in depth. *SHOW ME* a break-in that happened that points out a genuine flaw in the *concept*. -- Jim Rosenberg CIS: 71515,124 decvax!idis! \ WELL: jer allegra! ---- pitt!amanue!jr BIX: jrosenberg uunet!cmcl2!cadre! /