C2 and Networking <was: SECURITY BUG IN INTERACTIVE UNIX SYSV386>

Bill England wengland at stephsf.stephsf.com
Wed Feb 20 05:27:16 AEST 1991 

In article <249 at raysnec.UUCP> shwake at raysnec.UUCP (Ray Shwake) writes:
>wengland at stephsf.stephsf.com (Bill England) writes:
>
>>   As for the Uucp I believe that having strict C2 requires NOT using
>>   UUCP and disallowing ftp.  I'm not sure if TCP/IP would be 
[...]
>
>I don't think this is true, at least in the case of UUCP. What, after all,
>is the difference between a uucp login and a user login? Both operate under
>the various discretionary access controls, audits, etc. associated with
>C2. FTP may be another story however.

  Well I knew I did not just pull that bit about Uucp out of a hat,
  here is the referance ...

  In the operating system release notes for SCO ODT pre-availability
  release, on page 4 in section 1.4 'Packages In This Set' there
  is a footnote to the UUCP package.

  "The SCO UNIX Operating System Release 3.2 is designed to meet the 
  requirments of the C2 level of "trust" as defined by the "Trusted 
  Computer System Evaluation Criteria", also known as the "Orange Book".  
  If you plan to follow these guidelines, those software packages marked 
  by an asterik must not be installed on your system.  By not installing 
  these packages you can ensure that your system operates at a greater 
  level of security."

  Obviously this is incomplete, and I can't think of a more useless 
  piece of equipment than a Unix box without Uucp or other networking.
  Also, this may have changed since the EAP release as I have not
  been able to finde a similar referance in the newer documentation.

  Certainly what is said above about not including Uucp if you want
  more security is true.  For one thing it precludes others from 
  executing remote jobs on your system and keeps your data from 
  leaking out accross the telephone lines.

  Is UUCP inscure for other reasons?  Are there Trogens in UUCP 
  that have not been removed?  What exactly does the "Orange book"
  say about Uucp and networking in general?


-- 
 +-  Bill England,  wengland at stephsf.COM -----------------------------------+
 |   * *      H -> He +24Mev                                                |
 |  * * * ... Oooo, we're having so much fun making itty bitty suns *       |
 |__ * * ___________________________________________________________________|

More information about the Comp.unix.sysv386 mailing list