Unix security additions
Craig Macbride
craig at bacchus.esa.oz.au
Wed Mar 13 09:51:44 AEST 1991
In <565 at rufus.UUCP> drake at drake.almaden.ibm.com writes:
>I don't know about "unix" in general ... looking at AIX V3 in particular,
>I suspect they are:
>o Access Control Lists (ACLs) on individual files.
>o Getting the passwords where they can't be publically read
These are both designed to be non-standard and break other people's software.
I'd call them good if they didn't do that.
>o Telling me when I log on when the last time I logged on was,
> and how many times someone has tried to log onto my account
> with an invalid password since I last logged on.
The only really good one of the lot. It can (and should) be implemented and
doesn't provide problems.
>o Eliminating setuid shell scripts
A good idea in theory, but the security of the system is still largely a
matter of how it's administered. Why shouldn't people who want to use setuid
shell scripts be allowed to? Because IBM or AT&T says so? I don't really
think that's a good enough reason. Vendors shouldn't provide setuid shell
scripts in their distribution, but there is no reason why people should not
be able to use them. This is like censorship in concept: If people think
using setuid scripts is a bad idea (which it usually is), they don't have to
use them. If every construct in C which has the possibility of being abused
had been removed from the language, there wouldn't be a whole lot left.
>o Providing alternatives to NFS with better security characteristics
Another excuse to make yet another non-standard piece of software. But then,
who really believes that AIX is Unix? :-)
--
_____________________________________________________________________________
| Craig Macbride, craig at bacchus.esa.oz.au | Hardware: |
| | The parts of a computer |
| Expert Solutions Australia | which you can kick! |
More information about the Comp.unix.admin
mailing list