loki@NAZGUL.PHYSICS.MCGILL.CA (Loki Jorgenson Rm421) (03/03/91)
OK.... if its public pressure that SGI need to publish the
fix or post the binary on sgi.com, I am adding my voice to the chorus.
I have had more than my share of run-in's with the passwdreq bug and
its pretty irritating.
SGI, please post a fixed /bin/login.
__ __
Loki Jorgenson / / \ \ node: loki@Physics.McGill.CA
Grad, Systems Manager / ////// \\\\\\ \ BITNET: PY29@MCGILLA
Physics, McGill University \ \\\\\\ ////// / fax: (514) 398-8434
Montreal Quebec CANADA \_\ /_/ phone: (514) 398-7027vjs@rhyolite.wpd.sgi.com (Vernon Schryver) (03/05/91)
In article <9103022329.AA13891@nazgul.physics.mcgill.ca>, loki@NAZGUL.PHYSICS.MCGILL.CA (Loki Jorgenson Rm421) writes: > > OK.... if its public pressure that SGI need to publish the > fix or post the binary on sgi.com, I am adding my voice to the chorus. > I have had more than my share of run-in's with the passwdreq bug and > its pretty irritating. > > SGI, please post a fixed /bin/login. Silicon Graphics is a commercial, for-profit organization. The NFSNET and BARRNet acceptable use restrictions explicitly prohibit us from using the Internet or BARRNet for private gain. We can post things for the use of universities, other educational institutions, and non-profit research organizations. We cannot post them for others. It is true that another commercial workstation vendor obtained permission to offer support over the Internet. It is also true that that wording of that permission was quite careful. It said, in part, If this service is made available to for-profit institutions, you sould (sic) have your for-profit users sign an agreement that their use of the NSFNET would be limited to research and/or education and will be consistent with the attached NSFNET Acceptable Use Policy. It would be at best complicated to get our "for-profit" customers to sign such an agreement, and to ensure that only those who had signed and those who at "academic and research institutions" could get the fixed binary. It is one thing to bend the rules for security fixes in a new sendmail, or to blink at them with a sendmail that does MX, since all Internet email is supposed to be to or from "academic and research institutions" and so a fixed sendmail at commercial site helps the academics. A similar rational seems unlikely for fixing /bin/login at commercial sites. Vernon Schryver, vjs@sgi.com
samlb@pioneer.arc.nasa.gov (Sam Bassett RCS) (03/05/91)
Yeah, SGI -- doit -- please! Sam'l Bassett, Sterling Software @ NASA Ames Research Center, Moffett Field CA 94035 Work: (415) 604-4792; Home: (415) 969-2644 samlb@well.sf.ca.us samlb@ames.arc.nasa.gov <Disclaimer> := 'Sterling doesn't _have_ opinions -- much less NASA!'
johnson@EULER.JSC.NASA.GOV (Stan Johnson) (03/05/91)
Vernon Schryver writes: > Silicon Graphics is a commercial, for-profit organization. The NFSNET and > BARRNet acceptable use restrictions explicitly prohibit us from using the > Internet or BARRNet for private gain. We can post things for the use of > universities, other educational institutions, and non-profit research > organizations. We cannot post them for others. (...) > It would be at best complicated to get our "for-profit" customers to sign > such an agreement, and to ensure that only those who had signed and those > who at "academic and research institutions" could get the fixed binary. (...) > It is one thing to bend the rules for security fixes in a new sendmail, or > to blink at them with a sendmail that does MX, since all Internet email is > supposed to be to or from "academic and research institutions" and so a > fixed sendmail at commercial site helps the academics. A similar rational > seems unlikely for fixing /bin/login at commercial sites. I AM A LITTLE SURPRISED AT THE ABOVE REACTION FROM SGI TO THEIR CUSTOMERS' VALID CONCERNS ABOUT SECURITY HOLES IN /bin/login. THE ABILITY TO CHANGE ANOTHER USER'S PASSWORD BY SIMPLY GETTING ACCESS TO HIS OR HER ACCOUNT THROUGH rlogin SEEMS A VALID ENOUGH SECURITY REASON FOR SGI TO DISTRIBUTE A FIX. THERE MAY BE SOME GOOD REASONS NOT TO POST THE EXECUTABLE ON sgi.com, BUT THAT DOES NOT DIMINISH THE NEED TO COMMUNICATE THE INFORMATION TO CUSTOMERS IN ONE WAY OR ANOTHER. AND I DON'T THINK REQUESTING A FIX TO A SERIOUS PROBLEM FOR WHICH THERE IS A KNOWN FIX MAKES ANYONE A "SQUEAKY WHEEL", AS WAS SUGGESTED IN AN EARLIER MESSAGE FROM SGI. -STAN JOHNSON (713) 483-4692 NASA / Johnson Space Center email: johnson@euler.jsc.nasa.gov
samlb@pioneer.arc.nasa.gov (Sam Bassett RCS) (03/05/91)
In article <88634@sgi.sgi.com> vjs@rhyolite.wpd.sgi.com (Vernon Schryver) writes: >It is one thing to bend the rules for security fixes in a new sendmail, or >to blink at them with a sendmail that does MX, since all Internet email is >supposed to be to or from "academic and research institutions" and so a >fixed sendmail at commercial site helps the academics. A similar rational >seems unlikely for fixing /bin/login at commercial sites. Absolute fnortilated bull-bleep! What we are asking you to do is to put a copy of a bug fix in your anonymous ftp directory, so that research and government sites (like mine) that take such things seriously can get the fix in advance of the distribution of "cypress", aka IRIX 4.0 which is vaporously reputed to be happening Real Soon Now. I don't see how this can be construed as "commercial use of the Internet" -- no money is changing hands for services. Sam'l Bassett, Sterling Software @ NASA Ames Research Center, Moffett Field CA 94035 Work: (415) 604-4792; Home: (415) 969-2644 samlb@well.sf.ca.us samlb@ames.arc.nasa.gov <Disclaimer> := 'Sterling doesn't _have_ opinions -- much less NASA!'
vjs@rhyolite.wpd.sgi.com (Vernon Schryver) (03/05/91)
In article <1991Mar4.230639.22196@riacs.edu>, samlb@pioneer.arc.nasa.gov (Sam Bassett RCS) writes: > In article <88634@sgi.sgi.com> vjs@rhyolite.wpd.sgi.com (Vernon Schryver) writes: > >It is one thing to bend the rules for security fixes in a new sendmail, or > >to blink at them with a sendmail that does MX, since all Internet email is > >supposed to be to or from "academic and research institutions" and so a > >fixed sendmail at commercial site helps the academics. A similar rational > >seems unlikely for fixing /bin/login at commercial sites. > > Absolute fnortilated bull-bleep! > > What we are asking you to do is to put a copy of a bug fix in > your anonymous ftp directory, so that research and government sites (like > mine) that take such things seriously can get the fix in advance of the > distribution of "cypress", aka IRIX 4.0 which is vaporously reputed to > be happening Real Soon Now. > > I don't see how this can be construed as "commercial use of the > Internet" -- no money is changing hands for services. What? SGI sent you an IRIS on which to run /bin/login for nothing? It must have been an extra for the zillions of other IRIS's purchased over there. Consider the entirely reasonable reaction to Silicon Graphics competators who do not have an Internet link. They would quiet reasonably be unhappy at seeing our distribution of fixes subsidized by their tax dollars. They would be less than thrilled to know that you are more likely to buy an IRIS than one of their boxes because Silicon Graphics is able to use their tax dollars to help us distribute fixes. As I wrote, we could offer fixes to people at NASA, McGill and other academic or government institutions. The trouble is doing it only for you. Please re-read the portion I quoted of the permission given the other vendor. The NFSNET fair use restrictions are not our choosing. If you don't like them, please write congress. Please note that the /bin/login fix does not close any security holes. Vernon Schryver, vjs@sgi.com
vjs@rhyolite.wpd.sgi.com (Vernon Schryver) (03/05/91)
In article <9103042232.AA00908@euler.jsc.nasa.gov>, johnson@EULER.JSC.NASA.GOV (Stan Johnson) writes: > > I AM A LITTLE SURPRISED AT THE ABOVE REACTION FROM SGI TO THEIR CUSTOMERS' > VALID CONCERNS ABOUT SECURITY HOLES IN /bin/login. THE ABILITY TO CHANGE > ANOTHER USER'S PASSWORD BY SIMPLY GETTING ACCESS TO HIS OR HER ACCOUNT > THROUGH rlogin SEEMS A VALID ENOUGH SECURITY REASON FOR SGI TO DISTRIBUTE > A FIX. THERE MAY BE SOME GOOD REASONS NOT TO POST THE EXECUTABLE ON > sgi.com, BUT THAT DOES NOT DIMINISH THE NEED TO COMMUNICATE THE INFORMATION > TO CUSTOMERS IN ONE WAY OR ANOTHER. > > AND I DON'T THINK REQUESTING A FIX TO A SERIOUS PROBLEM FOR WHICH THERE > IS A KNOWN FIX MAKES ANYONE A "SQUEAKY WHEEL", AS WAS SUGGESTED IN AN > EARLIER MESSAGE FROM SGI. > > -STAN JOHNSON > (713) 483-4692 > NASA / Johnson Space Center > email: johnson@euler.jsc.nasa.gov Please note that the fix for /bin/login does not close any security holes. The problem is only that people are forced to run the passwd command after being accepted as bona fide users. What happens is exactly the same as if someone had first used rlogin, and then typed `passwd`. At worst, this makes the new "password required" feature less useful. It does not allow anyone any access to machines that they did not already have. In fact, it effectively denies access. The /bin/login bug is a serious bug, but so are many other bugs that we are fixing for IRIX 4.0. If you view the /bin/login fix as serious enough, and if you are a willing to pay enough for the fix before the next release, I bet the support organization would be happy send you a tape via overnight courier. Please contact Silicon Graphics or the CERT hotline immediately if you know of a security hole in the IRIX 3.3.2 /bin/login. Again, this fix to /bin/login is not a security issue. Vernon Schryver, vjs@sgi.com
samlb@pioneer.arc.nasa.gov (Sam Bassett RCS) (03/05/91)
In article <9103050639.AA03797@ultima.cerfacs.fr> farestam@ORION.CERFACS.FR (Stefan Farestam) writes: > A fixed version for login is available at sgi.com by anonymous > ftp in directory sgi/login. It is compiled on 3.3.2, but seems > to work ok on 3.3.1 No, it is not -- it was removed about Mar 4 19:32 Sam'l Bassett, Sterling Software @ NASA Ames Research Center, Moffett Field CA 94035 Work: (415) 604-4792; Home: (415) 969-2644 samlb@well.sf.ca.us samlb@ames.arc.nasa.gov <Disclaimer> := 'Sterling doesn't _have_ opinions -- much less NASA!'
farestam@ORION.CERFACS.FR (Stefan Farestam) (03/05/91)
A fixed version for login is available at sgi.com by anonymous ftp in directory sgi/login. It is compiled on 3.3.2, but seems to work ok on 3.3.1 /Stefan Farestam ................................................................. . Stefan Farestam <farestam@cerfacs.fr> . . __ __ __ _ _ _ . . / |_ )|_ /_\/ ( European Centre for Research and . . \_ |__\| / \__) Advanced Training in Scientific Computation . .................................................................
johnson@euler.jsc.nasa.gov (Stan Johnson) (03/06/91)
Vernon Schryver writes: >Please note that the fix for /bin/login does not close any security holes. >The problem is only that people are forced to run the passwd command after >being accepted as bona fide users. What happens is exactly the same as if >someone had first used rlogin, and then typed `passwd`. At worst, this >makes the new "password required" feature less useful. It does not allow >anyone any access to machines that they did not already have. In fact, it >effectively denies access. (...) >Vernon Schryver, vjs@sgi.com You are absolutely right; my apologies. The fact that the user must first enter his or her old password makes the problem one of convenience, not security. I had forgotten that fact, since I ran into the problem as root and so was not asked for the old password... I should also mention that SGI hotline personnel were very helpful in isolating and solving the problem. -Stan Johnson NASA / Johnson Space Center (713) 483-4692 johnson@euler.jsc.nasa.gov