/etc/shutdown permissions

Jim Rosenberg jr at amanue.UUCP
Wed Nov 30 16:03:25 AEST 1988 

In article <295 at jhunix.JHU.EDU> ins_anmy at jhunix.UUCP (Norman Yarvin) writes:
>In article <435 at amanue.UUCP> jr at amanue.UUCP (Jim Rosenberg) writes:
>
>>... Good security means defense in depth.
>
>To quote Mark Twain: "Put all your eggs in one basket, and WATCH THAT BASKET!"
>This is the usual Unix metaphor for security: rectrict yourself to one level of
>defense, but make that level completely airtight.  For instance, /etc/passwd
>is readable by the world.  This is highly reasonable, as _the_ line of defense
>against password reading is the encryption of passwords.  None other is needed.
>And the readability of the password file has the mental-attitude advantage that
>it focuses effort on the need for an uncrackable encryption algorithm.

I suggest you take this up with AT&T.  Please tell them that they were full of
horse puckey when they put shadow passwords into SVr3[.1?  Too bad on the 3b1
we'll never see Vr3.anything.]  If you think that the encryption algorithm of
/etc/passwd is safe you are living in dreamland.  In possession of /etc/passwd
an algorithm to guess passwords will succeed if someone has used all kinds of
categories of obvious passwords.  The recent Worm succeeded something like 5%
of the time just by guessing passwords!!  The encryption algorithm is *NOT*
"_the_" line of defense.  crypt + poorly chosen password + public password file
== no security.  This is one of the reasons why AT&T has **DONE AWAY WITH**
publicly readable passwords.  Just to take this one example, a proper approach
to password security includes the following layers:

1.  Proper people procedures.  (Do not write down your password next to your
terminal, do not share your password with your co-workers, etc.)

2.  Well-chosen passwords.  This is currently being beaten to death on the net
right now.

3.  Password encryption.

4.  o-r on the shadow password file.  (/etc/passwd has all the fields that
tools like ls need; the password field is there but not used.)

That's 4 layers.  Defense in depth means plan each layer as if it were all you
had, then hope at least one of them holds.  I think what you are suggesting
is an invitation to disaster.  I think defense in depth is just plain common
sense.  I will be most interested if you can site a literature reference
showing where the defense in depth concept just plain doesn't work.

Now I'm not an expert, but I have read some of the literature, & I know that
there are some pretty smart people who make a convincing case that some
security procedures are counter-productive.  I've read a reasonable argument
against too much su logging.  I don't know if I agree with it, but a case was
certainly made.  But saying that the defense in depth concept makes no sense is
like saying if you keep your brakes in good repair having a quick reaction time
on the brake pedal isn't necessary.

So, I still stand by defense in depth.  *SHOW ME* a break-in that happened
that points out a genuine flaw in the *concept*.
-- 
 Jim Rosenberg
     CIS: 71515,124                         decvax!idis! \
     WELL: jer                                   allegra! ---- pitt!amanue!jr
     BIX: jrosenberg                  uunet!cmcl2!cadre! /

More information about the Unix-pc.general mailing list