Re: Security hole in Debian's /bin/false?

[Alexander Kjeldaas <astor@guardian.no>]

On Mon, 7 Jul 1997, Alex Romosan wrote:

> >> I don't know about other Unices but at least IRIX has it's /bin/true and
> >> /bin/false set to shell scripts as well. It seems that Debian's no worse
> >> off than SGIs and other Linux distributions at least.
> >
> >If there exists at least ONE really insecure Unix, it is called IRIX. There's
> >nothing in the line of IRIX so don't be surprised.
> >
> 
> /bin/true and /bin/false are also shell scripts on solaris. they are
> not on digital unix and aix. it looks like it is a system v thing. so
> there. as for irix being insecure, it is a function of the system
> administrator (sgi is pretty good at releasing patches).

Sorry but I _don't_ think it's appropriate to ask the system administrator
to remove 10^6 suid programs on IRIX, all inetd services and non-inetd
services just to get _some_ sense of security. IRIX is _not_ secure - it's
a fact. Security was never in the design specs for IRIX - useability was
probably requirement #1. Why would they create a dozen suid admin-tools if
it wasn't for useability alone - it's just plain wrong from a security
standpoint. 

The SGI policy is that you shoulnd't have put an SGI box on the net in the
first place if you don't have a firewall to guard it. 

Strangely - the oses I have _some_ confidence in wrt security are AIX and
Digital UNIX.

astor


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .