Esix Rev D. support, potential security hole

Terry Conklin conklin at frith.uucp
Wed Nov 14 15:42:34 AEST 1990 

----
I have not come to praise ESIX (that was the last message) but this time, to
indicate that there have been problems, and also to update ESIX owners
about a potential security hole.
 
Let's get the security hole out of the way first. ESIX Revision D
'fails' the security test given in the June issue of Unix/World of
checking for strings in /usr/lib/sendmail's binary. Apparently, ESIX not
only still has the 'debug' id still in their sendmail, but they
also have a questionable string right after, 'wiz.'
 
It was mentioned in the Unix/world article that there was a 'wizard' id
and that it have been taken out of practically everything. Except,
perhaps, ESIX rev D. Since ESIX is shipped with TCP/IP and is a natural
canidate for networked environments, this bug needs to be fixed A.S.A.P.
I patched my copy with other data in those fields. Someone let me know
if that's not a workable fix.
 
-------
 
While ESIX is clearly the best Unix shipping right now, I have been
extremely unhappy with their attitude on bugs. I have on several
occasions been told 'no dice' on V.4 upgrades (though this has apparently
changed.) However, what is more disturbing is that I have been
consistently been told, via email, ESIX, distributors, and the facts,
that bugs in the ESIX release are there for life. "If it's broken, tough."
 
It has been well over a month now since I reported a number of errors (5
or so I think,) some of which make the system unusable. I sent email
several times (over weeks) then called (not free) them to
see if they were getting any email. Some of it had arrived. I never
received a reply. I found the text of the bug report and sent it again,
called again to verify it arrived. I have yet to ever get a call back
from tech support, nor any email, or even normal mail.
 
Let me reiterate - these are serious bugs. Enough that ESIX is
effectively useless to me as anything but a hobby system. The
environment is improperly setup by the kernel/login. I wrote my own
shell and find that the environment variables are often destroyed coming
into it. There is also a terrible bug in which the system forgets the
name of the user. I believe LOGNAME is overwritten. As passwords expire,
the system requires a new password, then says "Can't change password for
LOGIN." Even after people login, occasionally applications and games
will show scores by 'LOGIN' or 'uadmin' or other things. My guess is the
environment space/stack is being corrupted. I rate this error as
SERIOUS.
 
At this point, even if it is fixed, my collective feeling from dealing
with a number of ESIX people and business partners is even if the bug
were fixed, all Rev D owners are S.O.L. Rev C? Worked fine (if slower)
but they required the 1st disk of Rev. C to get the Rev. D upgrade!
 
Currently, Rev. D is BROKEN. It does not function as advertised. There
is apparently no upgrade or repair policy. I have made many, many
attempts to contact ESIX, indeed, _did_ contact ESIX, through a variety
of channels. This is unacceptable.
 
I would have to say that Interactive has been more helpful than ESIX at
this point. I would have thought Atlantis risen before that would be
true. Interactive openly says 'no support without a support contract!'
 
Terry Conklin
uunet!frith!conklin
conklin at egr.msu.edu
The Club (517) 372-3131  (3/12/24 MNP5)

More information about the Comp.unix.sysv386 mailing list