grr@cbmvax.UUCP (George Robbins) (06/13/89)
Ultrix 3.0 introduced a new, serious, security hole that allows any
informed user to obtain access to root privileges by typing a single
command line.
Contact with DEC software support determined that they were aware of
the problem and that there was a workaround available. The support
person was unable to explain why DEC had not notified their customers
of the problem.
I find this very dissapointing, considering that I am paying DEC for
software support and had made a query via DSIN whether there were any
known problems associated with installing Ultrix 3.0.
Please contact DEC software support to obtain the workaround for this
problem, as in most cases, I have no unambiguous way of distinguishing
a concerned administrator from an inquisitive cracker.
--
George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr
but no way officially representing arpa: cbmvax!grr@uunet.uu.net
Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)lyndon@cs.AthabascaU.CA (Lyndon Nerenberg) (06/15/89)
In article <7091@cbmvax.UUCP> grr@cbmvax.UUCP (George Robbins) writes: >Ultrix 3.0 introduced a new, serious, security hole that allows any >informed user to obtain access to root privileges by typing a single >command line. > >Please contact DEC software support to obtain the workaround for this >problem, as in most cases, I have no unambiguous way of distinguishing >a concerned administrator from an inquisitive cracker. Can you give us a bug number or something similar we can use to reference this when calling DEC technical support? Trying to describe a problem with a description like that usually results in spending too many hours on the phone for my liking.-- Lyndon Nerenberg / Computing Services / Athabasca University {alberta,decwrl,ncc}!atha!lyndon || lyndon@cs.AthabascaU.CA Trying to manage programmers is like trying to herd cats!
michaud@vaxcpu.nac.dec.com (Jeff Michaud) (06/15/89)
The V3.0 problem is fixed in V3.1 if that is any consolation for those planning to install V3.1 anyways. I don't know when shipping is to start for it. V3.1 is a patch update (ie. doesn't require a full installation). /--------------------------------------------------------------\ |Jeff Michaud michaud@decwrl.dec.com michaud@decvax.dec.com| |DECnet-ULTRIX #include <standard/disclaimer.h> | \--------------------------------------------------------------/
grr@cbmvax.UUCP (George Robbins) (06/15/89)
In article <622@aurora.AthabascaU.CA> lyndon@cs.AthabascaU.CA (Lyndon Nerenberg) writes: > In article <7091@cbmvax.UUCP> grr@cbmvax.UUCP (George Robbins) writes: > > > >Please contact DEC software support to obtain the workaround for this > >problem, as in most cases, I have no unambiguous way of distinguishing > >a concerned administrator from an inquisitive cracker. > > Can you give us a bug number or something similar we can use to > reference this when calling DEC technical support? Trying to describe > a problem with a description like that usually results in spending > too many hours on the phone for my liking.-- Ah, alas, but to name this particular problem is to make it all to obvious, and the slip of paper with the bug number is about 2500 miles from here... If you call DEC and ask about "known security problems" and they play dumb, I'd be even more upset. If need be, I'll post the problem number when I get back to the office, but that's about a week from now. -- George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr but no way officially representing arpa: cbmvax!grr@uunet.uu.net Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)