su bug in Ultrix 4.1 still there

[Rusty Wright]

I just upgraded my DECstation 5000 to Ultrix 4.1 and the su bug from
Ultrix 4.0 is still there.  For those of you who missed my tirade when
I upgraded to Ultrix 4.0, here's a synopsis of the problem.

If your security level is set to ENHANCED you can't use the su command
unless the tty line you're on is marked secure in /etc/ttys.  On a
time sharing system like a DECserver or a large VAX that's not so bad.
But on a workstation running windows you'll almost always be on a tty
that's a pseudo tty (unless you happen to have a dialin modem
connected to your workstation) because of course that's what dxterm,
xterm, etc. use.  So you might think you could just edit /etc/ttys and
add the secure keyword to all of the pseudo tty lines, but that would
be a mistake because that would make your system less secure because
that allows root logins over the network via rlogin or telnet; i.e.,
then some cracker could try to guess your root password.

When I upgraded to Ultrix 4.0 I called the 800 number and reported
this bug to the folks in Atlanta.  The person I talked to understood
the problem and agreed that it was a problem but there wasn't any
patch available.  He said the next thing to do was for me to bring it
up with my local Field Service, which I did.  They didn't understand
the problem but they did investigate and their response was "that's
the way it's supposed to be."