rusty@GARNET.BERKELEY.EDU (rusty wright) (08/30/90)
I have some questions/problems regarding the 'Enhanced Security' of Ultrix 4.0 and am hoping that someone out there can help. I've installed Ultrix 4.0 and the Mandatory Upgrade. 1) When I try to use the 'su' command from a DECterm window it won't let me and says 'Requires secure terminal'. I'm assuming that I could fix this by putting 'secure' for each of the ttyp and ttyq lines in /etc/ttys since that's what the su man page says. This seems just a trifle bogus since by doing that I would potentially be allowing people to login (or attempt to if they're a cracker) as root over the network with rlogin or telnet. Can I get rid of this 'feature' be configuring my system with Upgrade Security instead of Enhanced Security? Or does anybody know how to get rid of it besides adding the 'secure' flag to each of the network tty lines in /etc/ttys? 2) I can't find anything in any of the documentation about either how to or if I can downgrade from Enhanced Security to Upgrade Security. The manual page for secsetup only says that secsetup is used to 'enable the enhanced security features' and nothing about disabling them. The reason I need to downgrade my security level is that it turns out that Ultrix/SQL doesn't work with Enhanced Security. Does anybody know of any other add-on/layered products that don't work with Enhanced Security?
avolio@decuac.DEC.COM (Frederick M. Avolio) (08/30/90)
In article <9008300308.AA06175@garnet.berkeley.edu>, rusty@GARNET.BERKELEY.EDU (rusty wright) writes: |>1) When I try to use the 'su' command from a DECterm window it won't |>let me and says 'Requires secure terminal'. I don't see this behavior on my 4.0 machine, so it must have to do with some security features you've got turned on. (Did you read the security guide? I haven't yet...) |>2) I can't find anything in any of the documentation about either how |>to or if I can downgrade from Enhanced Security to Upgrade Security. Check out /etc/svc.conf. Fred
cliffb@isavax.isa.com (cliff bedore*) (08/31/90)
In article <9008300308.AA06175@garnet.berkeley.edu> rusty@GARNET.BERKELEY.EDU (rusty wright) writes: >I have some questions/problems regarding the 'Enhanced Security' of >Ultrix 4.0 and am hoping that someone out there can help. I've >installed Ultrix 4.0 and the Mandatory Upgrade. > >1) When I try to use the 'su' command from a DECterm window it won't >let me and says 'Requires secure terminal'. I'm assuming that I could >fix this by putting 'secure' for each of the ttyp and ttyq lines in >/etc/ttys since that's what the su man page says. This seems just a >trifle bogus since by doing that I would potentially be allowing >people to login (or attempt to if they're a cracker) as root over the >network with rlogin or telnet. Can I get rid of this 'feature' be >configuring my system with Upgrade Security instead of Enhanced >Security? Or does anybody know how to get rid of it besides adding >the 'secure' flag to each of the network tty lines in /etc/ttys? > >2) I can't find anything in any of the documentation about either how >to or if I can downgrade from Enhanced Security to Upgrade Security. >The manual page for secsetup only says that secsetup is used to >'enable the enhanced security features' and nothing about disabling >them. The reason I need to downgrade my security level is that it >turns out that Ultrix/SQL doesn't work with Enhanced Security. Does >anybody know of any other add-on/layered products that don't work with >Enhanced Security? Volume 1 System and network management Security guide section 3.1.2.2 says su works in UPGRADE or ENHANCED mode only when terminal is marked secure. Section 7.2 same area gives details about backing off security Cliff
rusty@garnet.berkeley.edu (rusty wright) (09/01/90)
I still can't get su to work with DECwindows; I downgraded the system to UPGRADE level by editing the svc.conf file (as suggested by a posting from a DEC employee) and it still complains about 'not a secure tty'. I read the security guide and didn't find anything there. As to the DEC employee that gave the usual 'it works here' response, I'd guess that your /etc/ttys file has 'secure' set for all of the pty's. -- rusty c. wright rusty@garnet.berkeley.edu ucbvax!rusty
schemers@vela.acs.oakland.edu (Roland Schemers III) (09/01/90)
In article <RUSTY.90Aug31102448@garnet.berkeley.edu> rusty@garnet.berkeley.edu (rusty wright) writes: >I still can't get su to work with DECwindows; I downgraded the system >to UPGRADE level by editing the svc.conf file (as suggested by a >posting from a DEC employee) and it still complains about 'not a I remember reading in the 4.0 docs that su will ony work from a secure line in UPGRADE or SECURE mode. Its in Section 3.1.2.2 in the System Management Volume 1. If you want su to work in UPGRADE or SECURE mode then you should set the lines as secure in /etc/ttys. Of course this opens up a HUGE security hole. If you must run in UPGRADE or SECURE mode and use the su commmand, then you could always write your own modified version of 'su' and install it. This of course could be another huge security hole. I think they should have left su the way it was. Making it work only from a secure line in UPGRADE or EHANCED mode is a hassle. The way I have been doing it on campus (with Ultrix 3.1) is to make the su command executable only from the system group. Then only people in the system group can execute su. I feel normal users shouldn't have to use su anyways. They can just logout and log back in. We are currently running 4.0 in BSD mode, so we haven't run into this problem yet. Roland -- Roland J. Schemers III Systems Programmer schemers@vela.acs.oakland.edu (Ultrix) Oakland University schemers@argo.acs.oakland.edu (VMS) Rochester, MI 48309-4401 "Get off your LEF and do something!" (313)-370-4323
grr@cbmvax.commodore.com (George Robbins) (09/01/90)
In article <RUSTY.90Aug31102448@garnet.berkeley.edu> rusty@garnet.berkeley.edu (rusty wright) writes: > I still can't get su to work with DECwindows; I downgraded the system > to UPGRADE level by editing the svc.conf file (as suggested by a > posting from a DEC employee) and it still complains about 'not a > secure tty'. I read the security guide and didn't find anything > there. As to the DEC employee that gave the usual 'it works here' > response, I'd guess that your /etc/ttys file has 'secure' set for all > of the pty's. Sounds like a change to the su program, why don't you see if the one from 3.1C still functions correctly... -- George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr but no way officially representing: domain: grr@cbmvax.commodore.com Commodore, Engineering Department phone: 215-431-9349 (only by moonlite)