goldfarb@ucf-cs.UUCP (06/21/83)
I think this discussion is heading in the wrong direction. Instead of talking about how we can prevent breaches of password security, perhaps we should concern ourselves with the broader problem of what to do once root security has been broken THAT ONE TIME. How many of you have found setuid root files appearing in funny places? No matter what we do with passwords, etc., once Unix has been cracked it leaks like a sieve. -- Ben Goldfarb uucp: ...!duke!ucf-cs!goldfarb ARPA: goldfarb.ucf-cs@Rand-Relay
jhh@ihldt.UUCP (06/22/83)
Even worse than finding setuid files in bizarre places, is modifying programs that root will use often. One approach could be to write a version of ls or l that will change the owner of a file to root, plus set the SUID bit on the file when it runs. This way, the person who broke in could re-crack security any time he pleased. Since the chown and chmod calls would only work if the files existed, the person could create the file, wait for a super-user to execute ls or l, have his way with the system, and remove the evidence when done. The hardest place to clean up would probably be the process accounting files, plus remembering to change the modification times when needed. John Haller Aside to rfs - I don't have the time or patience to do this, don't worry.
Michael.Young%cmu-cs-g@sri-unix.UUCP (06/23/83)
A reasonable thing to do when doing overnight dumps or filesystem searches (either by cron, or by human operator) is to dump (to a safe tape) a fast checksum of your important binaries, along with their inode information. The inode info will detect major differences (bad modes, sizes, owners), and the checksum will detect even some tricky meddling. It seems that this is worthwhile every so often just to keep an eye on which system maintainers are working on what, and to detect strange disk errors. [Fsck makes sure blocks are arranged right, but not that they contain the right stuff.] Yes, it's expensive, but if you've got the time at night, it can't hurt. Michael
smh@mit-eddi.UUCP (Steven M. Haflich) (06/26/83)
It is probably necessary to have a daemon do a sum on all the commands that root regularly executes. This file could be summed in turn, and the result checked *by hand* by the local gestapo-in- charge-of-system-security. Of course, an illegit superuser could hack the summer daemon, but occasional checks by hand could detect tampering. One moral about security should be made clear to everyone: If you want to keep a text file secure, encrypt it. Otherwise, any file you own is readable (at least) in a great many ways by a great many people.