su bug in Ultrix 4.1 still there

[Marcus J. Ranum]

Sm at cerberus.bhpese.oz.au (Scott Merrilees) writes:
> This provides much better tracking of root
>access than having someone log into root to do something, which leaves
>you with the problem: Who was it? Programmer A or B or C ?

	If you're running enhanced security, presumably your environment
isn't the type where you have 3 programmers just logging in as root or
'su'ing at the drop of a hat. *enhanced* implies you're serious about
security, and presumably you have some kind of additional controls or
change tracking in place - not just "I needed to edit the password
file so I su'd to root". We're talking having programmer A notify the
site security officer that they're going to log in as root and add
the following accounts, thank you - if you're not *that* serious about
security, either re-write 'su' or don't run enhanced. It's my impression
that running enhanced means you're into security enought that you are
also using the other C2 stuff - access failure logging, file creation,
modification logging - the whole ball of wax. (which nobody in their
right mind but a spook is going to want to do)

mjr.
-- 
	Somehow, "features" became the driving force behind applications,
rather than getting the job done efficiently and cleanly. Conceptually,
this is the equivalent of selling cars based only on the layouts of their
dashboards.		[From the programming notebooks of a heretic, 1990]