ada@umich.UUCP (G. D. Buzzard) (02/15/86)
I have some questions about how safe it is to use Apollo systems
where it is important that things remain protected and secure,
and how dangerous it is to use apollos in conjunction with
other networks using TCP/IP or what not.
I) TCP/IP is hazardous.
1) Apollo's do not seem to enforce the priveleged socket aspects of
Unix bsd4.2 TCP/IP. Accordingly they shouldn't be trusted systems
connecting to vaxes where you can rlogin without a password,
since anyone could conceivbly impersonate rlogin and forge
a user id.
2) Since anyone can bind to such a socket inbound use is virtually
insane, since anyone can impersonate a service deamon and collect
passwords at will.
II) Certain features of the system are suspicious
1) Anyone can create a pad on a machine and talk to the display
manager of that machine. This is really convenient for sending unix style write
messages, or talking between two people, or even popping up graphics.
Servers do this to inform people about new mail. However the pads
can control the display manager so they can TYPE ON MY TERMINAL
if they want. I DON'T WAN'T ANYONE ELSE TYPING ON MY TERMINAL.
2) Anyone can debug anyone elses process with the snazzy
new debugger, previously and still anyone, can signal anyones process,
even across the net and bridges.
I DON'T WAN'T ANYONE ELSE TALKING TO MY PROCESSES IN SUCH AN
UNCONTROLLED MANNER.
3) Apollo has a trojan horse locksmith account build into login
with account '<><><><>' and password unknown. Why should they?
4) Why should copies of setuid and subsystem programs retain their
priveleges, especially copies on floppy diskette, what would stop
someone from changing the appropriate bits on a diskette and
screwing with my system, or more easily just getting on his system
and creating a setuid or subsystem manager and importing it
to my system to wreack havoc? The ability for this to work
seems to imply the ability to create such programs by any
user regardless of access anyway, unfortunately the source code
is proprietary and unavailable, but their must be a trojan horse
entry into the system so that the copy command could
set up priveleged programs in this way, if found this entry
MUST be removed.
5) How can the display manager change its identity to
the identity of the logged in user and then back, this indicates
a backdoor way for changing a user identity. Genuine unix systems
create a new process for the new user, the init process runs as root
Also by what bogus method has Apollo implemented setuid programs,
since program/process management is done mostly by a user library
which load programs in user mode( non-privleged) it is bound to
be insecure and may present a means for programs changing ids.
Conclusion: Dispite a byzantine system of managers and acls
and outward appearances of a reasonably secure system the
apollo is insecure, not trustable on a network, and
can be compromised by any one else who has an apollo and a
diskette, or who has anything that can change bits on a diskette.
I would buy something else if I wanted a secure system in
a hostile environment. I also would not connect
general student clusters to research machines to protect the
researchers from general students.