ada@umich.UUCP (G. D. Buzzard) (02/15/86)
I have some questions about how safe it is to use Apollo systems where it is important that things remain protected and secure, and how dangerous it is to use apollos in conjunction with other networks using TCP/IP or what not. I) TCP/IP is hazardous. 1) Apollo's do not seem to enforce the priveleged socket aspects of Unix bsd4.2 TCP/IP. Accordingly they shouldn't be trusted systems connecting to vaxes where you can rlogin without a password, since anyone could conceivbly impersonate rlogin and forge a user id. 2) Since anyone can bind to such a socket inbound use is virtually insane, since anyone can impersonate a service deamon and collect passwords at will. II) Certain features of the system are suspicious 1) Anyone can create a pad on a machine and talk to the display manager of that machine. This is really convenient for sending unix style write messages, or talking between two people, or even popping up graphics. Servers do this to inform people about new mail. However the pads can control the display manager so they can TYPE ON MY TERMINAL if they want. I DON'T WAN'T ANYONE ELSE TYPING ON MY TERMINAL. 2) Anyone can debug anyone elses process with the snazzy new debugger, previously and still anyone, can signal anyones process, even across the net and bridges. I DON'T WAN'T ANYONE ELSE TALKING TO MY PROCESSES IN SUCH AN UNCONTROLLED MANNER. 3) Apollo has a trojan horse locksmith account build into login with account '<><><><>' and password unknown. Why should they? 4) Why should copies of setuid and subsystem programs retain their priveleges, especially copies on floppy diskette, what would stop someone from changing the appropriate bits on a diskette and screwing with my system, or more easily just getting on his system and creating a setuid or subsystem manager and importing it to my system to wreack havoc? The ability for this to work seems to imply the ability to create such programs by any user regardless of access anyway, unfortunately the source code is proprietary and unavailable, but their must be a trojan horse entry into the system so that the copy command could set up priveleged programs in this way, if found this entry MUST be removed. 5) How can the display manager change its identity to the identity of the logged in user and then back, this indicates a backdoor way for changing a user identity. Genuine unix systems create a new process for the new user, the init process runs as root Also by what bogus method has Apollo implemented setuid programs, since program/process management is done mostly by a user library which load programs in user mode( non-privleged) it is bound to be insecure and may present a means for programs changing ids. Conclusion: Dispite a byzantine system of managers and acls and outward appearances of a reasonably secure system the apollo is insecure, not trustable on a network, and can be compromised by any one else who has an apollo and a diskette, or who has anything that can change bits on a diskette. I would buy something else if I wanted a secure system in a hostile environment. I also would not connect general student clusters to research machines to protect the researchers from general students.