⟦9bac6dc50⟧

TextFile

%!PS-Adobe-2.1
%%Creator: groff version 0.6
%%DocumentFonts: Times-Roman Times-Italic Times-Bold
%%DocumentSuppliedFonts:
%%DocumentNeededFonts: Times-Roman Times-Italic Times-Bold
%%Pages: 3
%%EndComments
/grops 100 dict def grops begin
%!
% If you add definitions here, be sure to check that MAX_PROLOGUE_DEFS
% in ps.c is large enough.

% The ASCII code of the space character.
/SC 32 def

/A /show load def
/B { 0 SC 3 -1 roll widthshow } bind def
/C { 0 exch ashow } bind def
/D { 0 exch 0 SC 5 2 roll awidthshow } bind def
/E { 0 rmoveto show } bind def
/F { 0 rmoveto 0 SC 3 -1 roll widthshow } bind def
/G { 0 rmoveto 0 exch ashow } bind def
/H { 0 rmoveto 0 exch 0 SC 5 2 roll awidthshow } bind def
/I { 0 exch rmoveto show } bind def
/J { 0 exch rmoveto 0 SC 3 -1 roll widthshow } bind def
/K { 0 exch rmoveto 0 exch ashow } bind def
/L { 0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow } bind def
/M { rmoveto show } bind def
/N { rmoveto 0 SC 3 -1 roll widthshow } bind def
/O { rmoveto 0 exch ashow } bind def
/P { rmoveto 0 exch 0 SC 5 2 roll awidthshow } bind def
/Q { moveto show } bind def 
/R { moveto 0 SC 3 -1 roll widthshow } bind def
/S { moveto 0 exch ashow } bind def
/T { moveto 0 exch 0 SC 5 2 roll awidthshow } bind def

% name size font SF -

/SF {
	findfont exch
	[ exch dup 0 exch 0 exch neg 0 0 ] makefont
	dup setfont
	[ exch /setfont cvx ] cvx bind def
} bind def

% name a c d font MF

/MF {
	findfont
	[ 5 2 roll
	0 3 1 roll % b
	neg 0 0 ] makefont
	dup setfont
	[ exch /setfont cvx ] cvx bind def
} bind def

	
% BP -

/BP {
	/level0 save def
	1 setlinecap
	1 setlinejoin
	72 RES div dup scale
	LS {
		90 rotate
	} {
		0 PL translate
	} ifelse
	1 -1 scale
} bind def

/EP {
	level0 restore
	showpage
} bind def


% centerx centery radius startangle endangle DA -

/DA {
	newpath arcn stroke
} bind def

% x y SN - x' y'
% round a position to nearest (pixel + (.25,.25))

/SN {
	transform 
	.25 sub exch .25 sub exch
	round .25 add exch round .25 add exch
	itransform
} bind def
	
% endx endy startx starty DL -
% we round the endpoints of the line, so that parallel horizontal
% and vertical lines will appear even

/DL {
	SN
	moveto
	SN
	lineto stroke
} bind def

% centerx centery radius DC -

/DC {
	newpath 0 360 arc closepath
} bind def


/TM matrix def

%  width height centerx centery DE -

/DE {
	TM currentmatrix pop
	translate scale newpath 0 0 .5 0 360 arc closepath
	TM setmatrix
} bind def

% these are for splines

/RC /rcurveto load def
/RL /rlineto load def
/ST /stroke load def
/MT /moveto load def
/CL /closepath load def

% fill the last path

% amount FL -

/FL {
	currentgray exch setgray fill setgray
} bind def

% fill with the ``current color''

/BL /fill load def

/LW /setlinewidth load def
% new_font_name encoding_vector old_font_name RE -

/RE {
	findfont
	dup maxlength dict begin
	{
		1 index /FID ne { def } { pop pop } ifelse
	} forall
	/Encoding exch def
	dup /FontName exch def
	currentdict end definefont pop
} bind def

% hpos vpos EBEGIN -

/EBEGIN {
	moveto
	DEFS begin
} bind def

/EEND /end load def

% llx lly newwid wid newht ht newllx newlly -

/PICTURE {
	translate
	div 3 1 roll div exch scale
	neg exch neg exch translate
	% set the graphics state to default values
	0 setgray
	0 setlinecap
	1 setlinewidth
	0 setlinejoin
	10 setmiterlimit
	[] 0 setdash
	newpath
} bind def
/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end end
%%EndProlog
%%IncludeFont: Times-Roman
%%IncludeFont: Times-Italic
%%IncludeFont: Times-Bold
%%BeginSetup
grops begin/#copies 1 def/RES 72 def/PL 792 def/LS false def/ENC0[/asciicircum
/asciitilde/Scaron/Zcaron/scaron/zcaron/Ydieresis/trademark/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar
/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X
/Y/Z/bracketleft/backslash/bracketright/circumflex/underscore/quoteleft/a/b/c/d
/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/tilde
/.notdef/quotesinglbase/guillemotleft/guillemotright/bullet/florin/fraction
/perthousand/dagger/daggerdbl/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj
/grave/hungarumlaut/dotaccent/breve/caron/ring/ogonek/quotedblleft
/quotedblright/oe/lslash/quotedblbase/OE/Lslash/.notdef/exclamdown/cent
/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
/guilsinglleft/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
/ordmasculine/guilsinglright/onequarter/onehalf/threequarters/questiondown
/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute
/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve
/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex
/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute
/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis
/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
/Times-Roman@0 ENC0/Times-Roman RE/Times-Italic@0 ENC0/Times-Italic RE
/Times-Bold@0 ENC0/Times-Bold RE
%%EndSetup
%%Page: 1 1
BP/F0 12/Times-Bold@0 SF(On the Security of UNIX)224.34 120 Q/F1 10
/Times-Italic@0 SF(Dennis M. Ritchie)251.755 144 Q/F2 10/Times-Roman@0 SF .527
(Recently there has been much interest in the security aspects of operating sy\
stems and software.)97 201.6 R(At)5.527 E .636(issue is the ability to prevent\
 undesired disclosure of information, destruction of information, and harm to)
72 213.6 R .205(the functioning of the system.)72 225.6 R .204
(This paper discusses the degree of security which can be provided under the)
5.204 F/F3 9/Times-Roman@0 SF(UNIX)72 237.6 Q F2 2.5<8773>C(ystem and of)
105.881 237.6 Q(fers a number of hints on how to improve security)-.18 E(.)-.65
E .025(The \214rst fact to face is that)97 253.2 R F3(UNIX)2.525 E F2 .025
(was not developed with security)2.525 F 2.525(,i)-.65 G 2.525(na)368.016 253.2
S .026(ny realistic sense, in mind; this)379.981 253.2 R .99
(fact alone guarantees a vast number of holes.)72 265.2 R .989
(\(Actually the same statement can be made with respect to)5.989 F .563
(most systems.\))72 277.2 R .563(The area of security in which)5.563 F F3(UNIX)
3.064 E F2 .564(is theoretically weakest is in protecting against crash-)3.064
F .886(ing or at least crippling the operation of the system.)72 289.2 R .886
(The problem here is not mainly in uncritical accep-)5.886 F .432(tance of bad\
 parameters to system calls\212 there may be bugs in this area, but none are k\
nown\212 but rather)72 301.2 R .32
(in lack of checks for excessive consumption of resources.)72 313.2 R .32
(Most notably)5.32 F 2.82(,t)-.65 G .32(here is no limit on the amount of)
370.93 313.2 R .548(disk storage used, either in total space allocated or in t\
he number of \214les or directories.)72 325.2 R .549(Here is a particu-)5.549 F
(larly ghastly shell sequence guaranteed to stop the system:)72 337.2 Q
(while : ; do)108 355.2 Q(mkdir x)133 367.2 Q(cd x)133 379.2 Q(done)108 391.2 Q
.866(Either a panic will occur because all the i-nodes on the device are used \
up, or all the disk blocks will be)72 409.2 R
(consumed, thus preventing anyone from writing \214les on the device.)72 421.2
Q .417(In this version of the system, users are prevented from creating more t\
han a set number of processes)97 436.8 R(simultaneously)72 448.8 Q 3.36(,s)-.65
G 3.36(ou)141.66 448.8 S .859(nless users are in collusion it is unlikely that\
 any one can stop the system altogether)155.02 448.8 R(.)-.55 E(However)72
460.8 Q 3.152(,c)-.4 G .653(reation of 20 or so CPU or disk-bound jobs leaves \
few resources available for others.)118.342 460.8 R .653(Also, if)5.653 F
(many lar)72 472.8 Q(ge jobs are run simultaneously)-.18 E 2.5(,s)-.65 G
(wap space may run out, causing a panic.)237.54 472.8 Q .805(It should be evid\
ent that excessive consumption of disk space, \214les, swap space, and process\
es can)97 488.4 R .564(easily occur accidentally in malfunctioning programs as\
 well as at command level.)72 500.4 R .565(In fact)5.565 F F3(UNIX)3.065 E F2
.565(is essen-)3.065 F .409
(tially defenseless against this kind of abuse, nor is there any easy \214x.)72
512.4 R .408(The best that can be said is that it is)5.409 F .096(generally fa\
irly easy to detect what has happened when disaster strikes, to identify the u\
ser responsible, and)72 524.4 R .314(take appropriate action.)72 536.4 R .314
(In practice, we have found that dif)5.314 F .313
(\214culties in this area are rather rare, but we have)-.18 F .45(not been fac\
ed with malicious users, and enjoy a fairly generous supply of resources which\
 have served to)72 548.4 R(cushion us against accidental overconsumption.)72
560.4 Q 2.232(The picture is considerably brighter in the area of protection o\
f information from unauthorized)97 576 R .891(perusal and destruction.)72 588 R
.891(Here the degree of security seems \(almost\) adequate theoretically)5.891
F 3.392(,a)-.65 G .892(nd the prob-)453.336 588 R
(lems lie more in the necessity for care in the actual use of the system.)72
600 Q(Each)97 615.6 Q F3(UNIX)2.82 E F2 .32(\214le has associated with it elev\
en bits of protection information together with a user iden-)2.82 F .948
(ti\214cation number and a user)72 627.6 R .948
(-group identi\214cation number \(UID and GID\).)-.2 F .948
(Nine of the protection bits are)5.948 F 1.024(used to specify independently p\
ermission to read, to write, and to execute the \214le to the user himself, to)
72 639.6 R .266(members of the user)72 651.6 R 1.367 -.55('s g).37 H .267
(roup, and to all other users.).55 F .267
(Each process generated by or for a user has associated)5.267 F .199
(with it an ef)72 663.6 R .198(fective UID and a real UID, and an ef)-.18 F
.198(fective and real GID.)-.18 F .198(When an attempt is made to access)5.198
F 1.096(the \214le for reading, writing, or execution, the user process')72
675.6 R 3.596(se)-.55 G -.18(ff)328.19 675.6 S 1.097
(ective UID is compared against the \214le').18 F(s)-.55 E .749(UID; if a matc\
h is obtained, access is granted provided the read, write, or execute bit resp\
ectively for the)72 687.6 R .069(user himself is present.)72 699.6 R .069
(If the UID for the \214le and for the process fail to match, but the GID')
5.069 F 2.569(sd)-.55 G 2.57(om)454.7 699.6 S .07(atch, the)470.05 699.6 R .32
LW 76 709.6 72 709.6 DL 80 709.6 76 709.6 DL 84 709.6 80 709.6 DL 88 709.6 84
709.6 DL 92 709.6 88 709.6 DL 96 709.6 92 709.6 DL 100 709.6 96 709.6 DL 104
709.6 100 709.6 DL 108 709.6 104 709.6 DL 112 709.6 108 709.6 DL 116 709.6 112
709.6 DL 120 709.6 116 709.6 DL 124 709.6 120 709.6 DL 128 709.6 124 709.6 DL
132 709.6 128 709.6 DL 136 709.6 132 709.6 DL 140 709.6 136 709.6 DL 144 709.6
140 709.6 DL/F4 8/Times-Roman@0 SF<87>72 719.6 Q/F5 7/Times-Roman@0 SF(UNIX)2 E
F4(is a trademark of Bell Laboratories.)2 E EP
%%Page: 2 2
BP/F0 10/Times-Roman@0 SF 288.958(SMM:17-2 On)72 48 R(the Security of)2.5 E/F1
8/Times-Roman@0 SF(UNIX)2.5 E F0 .359(group bits are used; if the GID')72 84 R
2.859(sd)-.55 G 2.859(on)210.885 84 S .359
(ot match, the bits for other users are tested.)223.744 84 R .359
(The last two bits of each)5.359 F(\214le')72 96 Q 2.638(sp)-.55 G .138(rotect\
ion information, called the set-UID and set-GID bits, are used only when the \
\214le is executed as)99.088 96 R 2.743(ap)72 108 S 2.743(rogram. If,)84.183
108 R .242(in this case, the set-UID bit is on for the \214le, the ef)2.743 F
.242(fective UID for the process is changed to)-.18 F .595(the UID associated \
with the \214le; the change persists until the process terminates or until the\
 UID changed)72 120 R .018(again by another execution of a set-UID \214le.)72
132 R .017(Similarly the ef)5.017 F .017
(fective group ID of a process is changed to the)-.18 F .298(GID associated wi\
th a \214le when that \214le is executed and has the set-GID bit set.)72 144 R
.298(The real UID and GID of)5.298 F 2.5(ap)72 156 S(rocess do not change when\
 any \214le is executed, but only as the result of a privileged system call.)
83.94 156 Q .023(The basic notion of the set-UID and set-GID bits is that one \
may write a program which is executable)97 171.6 R .235(by others and which ma\
intains \214les accessible to others only by that program.)72 183.6 R .236
(The classical example is the)5.236 F .339
(game-playing program which maintains records of the scores of its players.)72
195.6 R .338(The program itself has to read)5.339 F .117
(and write the score \214le, but no one but the game')72 207.6 R 2.618(ss)-.55
G .118(ponsor can be allowed unrestricted access to the \214le lest)278.818
207.6 R .766(they manipulate the game to their own advantage.)72 219.6 R .766
(The solution is to turn on the set-UID bit of the game)5.766 F 2.728
(program. When,)72 231.6 R .228(and only when, it is invoked by players of the\
 game, it may update the score \214le but ordi-)2.728 F
(nary programs executed by others cannot access the score.)72 243.6 Q .665(The\
re are a number of special cases involved in determining access permissions.)97
259.2 R .665(Since executing a)5.665 F 1.835(directory as a program is a meani\
ngless operation, the execute-permission bit, for directories, is taken)72
271.2 R .269(instead to mean permission to search the directory for a given \
\214le during the scanning of a path name; thus)72 283.2 R 1.388
(if a directory has execute permission but no read permission for a given user)
72 295.2 R 3.888(,h)-.4 G 3.888(em)406.798 295.2 S 1.388
(ay access \214les with)422.906 295.2 R .255(known names in the directory)72
307.2 R 2.754(,b)-.65 G .254
(ut may not read \(list\) the entire contents of the directory)201.492 307.2 R
5.254(.W)-.65 G .254(rite permission)444.026 307.2 R .186(on a directory is in\
terpreted to mean that the user may create and delete \214les in that director\
y; it is impossi-)72 319.2 R
(ble for any user to write directly into any directory)72 331.2 Q(.)-.65 E
(Another)97 346.8 Q 3.723(,a)-.4 G 1.223(nd from the point of view of security)
140.033 346.8 R 3.723(,m)-.65 G 1.223
(uch more serious special case is that there is a)309.427 346.8 R -.74(``)72
358.8 S .024(super user).74 F 1.504 -.74('' w).37 H .024
(ho is able to read any \214le and write any non-directory).74 F 5.024(.T)-.65
G .024(he super)362.422 358.8 R .025(-user is also able to change)-.2 F .298(t\
he protection mode and the owner UID and GID of any \214le and to invoke privi\
leged system calls.)72 370.8 R .298(It must)5.298 F 1
(be recognized that the mere notion of a super)72 382.8 R 1.001
(-user is a theoretical, and usually practical, blemish on any)-.2 F
(protection scheme.)72 394.8 Q 1.086(The \214rst necessity for a secure system\
 is of course arranging that all \214les and directories have the)97 410.4 R
1.599(proper protection modes.)72 422.4 R -.35(Tr)6.599 G(aditionally).35 E(,)
-.65 E/F2 9/Times-Roman@0 SF(UNIX)4.099 E F0 1.599
(software has been exceedingly permissive in this regard;)4.099 F .362
(essentially all commands create \214les readable and writable by everyone.)72
434.4 R .361(In the current version, this policy)5.361 F .144(may be easily ad\
justed to suit the needs of the installation or the individual user)72 446.4 R
5.145(.A)-.55 G .145(ssociated with each pro-)406.645 446.4 R .211
(cess and its descendants is a mask, which is in ef)72 458.4 R(fect)-.18 E/F3
10/Times-Italic@0 SF(and)2.711 E F0 1.877(-ed with)1.666 F .211
(the mode of every \214le and directory cre-)2.711 F .846
(ated by that process.)72 470.4 R .846(In this way)5.846 F 3.346(,u)-.65 G .846
(sers can arrange that, by default, all their \214les are no more accessible)
218.362 470.4 R 1.409(than they wish.)72 482.4 R 1.409
(The standard mask, set by)6.409 F F3(login,)3.909 E F0 1.408
(allows all permissions to the user himself and to his)5.575 F
(group, but disallows writing by others.)72 494.4 Q 1.728 -.7(To m)97 510 T
.328(aintain both data privacy and data integrity).7 F 2.828(,i)-.65 G 2.828
(ti)299.084 510 S 2.828(sn)307.472 510 S(ecessary)319.19 510 Q 2.828(,a)-.65 G
.328(nd lar)362.178 510 R .328(gely suf)-.18 F .329(\214cient, to make one')
-.18 F(s)-.55 E .836(\214les inaccessible to others.)72 522 R .836
(The lack of suf)5.836 F .836
(\214ciency could follow from the existence of set-UID programs)-.18 F .094(cr\
eated by the user and the possibility of total breach of system security in on\
e of the ways discussed below)72 534 R .252
(\(or one of the ways not discussed below\).)72 546 R .252
(For greater protection, an encryption scheme is available.)5.252 F(Since)5.251
E .841(the editor is able to create encrypted documents, and the)72 558 R F3
(crypt)3.341 E F0 .842(command can be used to pipe such docu-)5.007 F .73(ment\
s into the other text-processing programs, the length of time during which cle\
artext versions need be)72 570 R .22(available is strictly limited.)72 582 R
.221(The encryption scheme used is not one of the strongest known, but it is j\
udged)5.22 F .09(adequate, in the sense that cryptanalysis is likely to requir\
e considerably more ef)72 594 R .089(fort than more direct meth-)-.18 F 1.582
(ods of reading the encrypted \214les.)72 606 R 1.582
(For example, a user who stores data that he regards as truly secret)6.582 F
.729(should be aware that he is implicitly trusting the system administrator n\
ot to install a version of the crypt)72 618 R
(command that stores every typed password in a \214le.)72 630 Q .158
(Needless to say)97 645.6 R 2.658(,t)-.65 G .159(he system administrators must\
 be at least as careful as their most demanding user to)166.814 645.6 R .571
(place the correct protection mode on the \214les under their control.)72 657.6
R .571(In particular)5.571 F 3.071(,i)-.4 G 3.071(ti)400.626 657.6 S 3.071(sn)
409.257 657.6 S .571(ecessary that special)421.218 657.6 R 1.563(\214les be pr\
otected from writing, and probably reading, by ordinary users when they store \
sensitive \214les)72 669.6 R .085(belonging to other users.)72 681.6 R .084(It\
 is easy to write programs that examine and change \214les by accessing the de\
vice)5.085 F(on which the \214les live.)72 693.6 Q .384
(On the issue of password security)97 709.2 R(,)-.65 E F2(UNIX)2.884 E F0 .384
(is probably better than most systems.)2.884 F .384(Passwords are stored)5.384
F 2.143(in an encrypted form which, in the absence of serious attention from s\
pecialists in the \214eld, appears)72 721.2 R EP
%%Page: 3 3
BP/F0 10/Times-Roman@0 SF(On the Security of)72 48 Q/F1 8/Times-Roman@0 SF
(UNIX)2.5 E F0(SMM:17-3)459.55 48 Q .683
(reasonably secure, provided its limitations are understood.)72 84 R .684
(In the current version, it is based on a slightly)5.684 F .602(defective vers\
ion of the Federal DES; it is purposely defective so that easily-available har\
dware is useless)72 96 R 1.078(for attempts at exhaustive key-search.)72 108 R
1.079(Since both the encryption algorithm and the encrypted passwords)6.078 F
2.228(are available, exhaustive enumeration of potential passwords is still fe\
asible up to a point.)72 120 R 3.828 -.8(We h)7.228 H(ave).8 E .036(observed t\
hat users choose passwords that are easy to guess: they are short, or from a l\
imited alphabet, or in)72 132 R 2.567(ad)72 144 S(ictionary)84.007 144 Q 5.067
(.P)-.65 G .066(asswords should be at least six characters long and randomly c\
hosen from an alphabet which)132.034 144 R
(includes digits and special characters.)72 156 Q 1.078(Of course there also e\
xist feasible non-cryptanalytic ways of \214nding out passwords.)97 171.6 R
1.078(For example:)6.078 F .524(write a program which types out `)72 183.6 R
-.834(`login: ')-.74 F 3.024('o)-.74 G 3.023(nt)252.214 183.6 S .523
(he typewriter and copies whatever is typed to a \214le of your)263.017 183.6 R
2.5(own. Then)72 195.6 R
(invoke the command and go away until the victim arrives.)2.5 E .962(The set-U\
ID \(set-GID\) notion must be used carefully if any security is to be maintain\
ed.)97 211.2 R .963(The \214rst)5.963 F .167(thing to keep in mind is that a w\
ritable set-UID \214le can have another program copied onto it.)72 223.2 R .166
(For example,)5.166 F .463(if the super)72 235.2 R(-user)-.2 E/F2 10
/Times-Italic@0 SF(\(su\))2.963 E F0 .463(command is writable, anyone can copy\
 the shell onto it and get a password-free ver)4.629 F(-)-.2 E .657(sion of)72
247.2 R F2(su.)3.157 E F0 3.156(Am)4.822 G .656
(ore subtle problem can come from set-UID programs which are not suf)137.682
247.2 R .656(\214ciently careful of)-.18 F .878(what is fed into them.)72 259.2
R 2.278 -.7(To t)5.878 H .879
(ake an obsolete example, the previous version of the).7 F F2(mail)3.379 E F0
.879(command was set-)5.045 F .319(UID and owned by the super)72 271.2 R(-user)
-.2 E 5.318(.T)-.55 G .318(his version sent mail to the recipient')222.012
271.2 R 2.818(so)-.55 G .318(wn directory)383.398 271.2 R 5.318(.T)-.65 G .318
(he notion was)447.814 271.2 R .693(that one should be able to send mail to an\
yone even if they want to protect their directories from writing.)72 283.2 R
1.639(The trouble was that)72 295.2 R F2(mail)4.139 E F0 1.638
(was rather dumb: anyone could mail someone else')5.805 F 4.138(sp)-.55 G 1.638
(rivate \214le to himself.)415.756 295.2 R .941(Much more serious is the follo\
wing scenario: make a \214le with a line like one in the password \214le which)
72 307.2 R 1.512(allows one to log in as the super)72 319.2 R(-user)-.2 E 6.512
(.T)-.55 G 1.512(hen make a link named `)245.548 319.2 R(`.mail')-.74 E 4.012
('t)-.74 G 4.012(ot)387.28 319.2 S 1.512(he password \214le in some)399.072
319.2 R .514
(writable directory on the same device as the password \214le \(say /tmp\).)72
331.2 R .515(Finally mail the bogus login line to)5.515 F(/tmp/.mail; Y)72
343.2 Q(ou can then login as the super)-1 E(-user)-.2 E 2.5(,c)-.4 G
(lean up the incriminating evidence, and have your will.)272.6 343.2 Q .094(Th\
e fact that users can mount their own disks and tapes as \214le systems can be\
 another way of gaining)97 358.8 R(super)72 370.8 Q 1.113(-user status.)-.2 F
1.113(Once a disk pack is mounted, the system believes what is on it.)6.113 F
1.114(Thus one can take a)6.113 F .077
(blank disk pack, put on it anything desired, and mount it.)72 382.8 R .077
(There are obvious and unfortunate consequences.)5.077 F .268(For example: a m\
ounted disk with garbage on it will crash the system; one of the \214les on th\
e mounted disk)72 394.8 R 1.121(can easily be a password-free version of)72
406.8 R F2(su;)3.621 E F0 1.121
(other \214les can be unprotected entries for special \214les.)5.287 F(The)6.12
E .198(only easy \214x for this problem is to forbid the use of)72 418.8 R F2
(mount)2.698 E F0 .198(to unprivileged users.)4.364 F 2.699(Ap)5.198 G .199
(artial solution, not so)418.953 418.8 R .512
(restrictive, would be to have the)72 430.8 R F2(mount)3.012 E F0 .512
(command examine the special \214le for bad data, set-UID programs)4.678 F(own\
ed by others, and accessible special \214les, and balk at unprivileged invoker\
s.)72 442.8 Q EP
%%Trailer
end
DataMuseum.dk

DKUUG/EUUG Conference tapes

⟦9bac6dc50⟧ TextFile

Derivation

TextFile
