su bug in Ultrix 4.1 still there

Bill Collins CIRT collins at triton.unm.edu
Tue Dec 11 13:00:57 AEST 1990 

In article <RUSTY.90Dec10144456 at belch.Berkeley.EDU> rusty at belch.Berkeley.EDU (Rusty Wright) writes:
>I just upgraded my DECstation 5000 to Ultrix 4.1 and the su bug from
>Ultrix 4.0 is still there.  For those of you who missed my tirade when
>I upgraded to Ultrix 4.0, here's a synopsis of the problem.
I haven't.  I have noticed the "bug."

>If your security level is set to ENHANCED you can't use the su command
>unless the tty line you're on is marked secure in /etc/ttys.  
> ...
>add the secure keyword to all of the pseudo tty lines, but that would
>be a mistake because that would make your system less secure because
>that allows root logins over the network via rlogin or telnet; i.e.,
>then some cracker could try to guess your root password.

Repeated login failures are recorded.  Guessing from outside would(should) be
noticed, especially in ENHANCED mode.

>                                              They didn't understand
>the problem but they did investigate and their response was "that's
>the way it's supposed to be."

I supposed it may be argued either way.  Adding "secure" after a device could
mean that root access is allowed, how Digital seems to understand it.  Or adding
"secure" means that initial root access(eg, rlogin, telnet.)

The former suggestion is that a device, any device, is considered safe and
"secure"(ie, allowed root access) or it isn't.  "Root" access is the same here,
regardless of the method(eg, su(1), telnet(1), rlogin(1).)

The latter suggests that if a user has an account, legitimate or otherwise, and accesess to su(1), then the device which he/she is on is secured by the fact the
user has an account.  This may not always be true.  The avenue does provide some
additional tracking, by chance, as the account which uses su(1) is given.

Perhaps the questions may be posed in this fashon, "is the 'network' secure?"
To what extent to you mean to secure root access?  After all, you can write
your own su program if you wish, it's not hard.

4.x ENHANCED behavior doesn't seem to hard to accept, or work around.  Bug?
perhaps not.  Just a different understanding.

					Bill
					collins at triton.unm.edu

p.s.	beware of the 5th column!
--
Internet:	collins at ariel.unm.edu
BITnet:		collins at unmb.bitnet

More information about the Comp.unix.ultrix mailing list