C2 and Networking <was: SECURITY BUG IN INTERACTIVE UNIX SYSV386>
Bill England
wengland at stephsf.stephsf.com
Wed Feb 20 05:27:16 AEST 1991
In article <249 at raysnec.UUCP> shwake at raysnec.UUCP (Ray Shwake) writes:
>wengland at stephsf.stephsf.com (Bill England) writes:
>
>> As for the Uucp I believe that having strict C2 requires NOT using
>> UUCP and disallowing ftp. I'm not sure if TCP/IP would be
[...]
>
>I don't think this is true, at least in the case of UUCP. What, after all,
>is the difference between a uucp login and a user login? Both operate under
>the various discretionary access controls, audits, etc. associated with
>C2. FTP may be another story however.
Well I knew I did not just pull that bit about Uucp out of a hat,
here is the referance ...
In the operating system release notes for SCO ODT pre-availability
release, on page 4 in section 1.4 'Packages In This Set' there
is a footnote to the UUCP package.
"The SCO UNIX Operating System Release 3.2 is designed to meet the
requirments of the C2 level of "trust" as defined by the "Trusted
Computer System Evaluation Criteria", also known as the "Orange Book".
If you plan to follow these guidelines, those software packages marked
by an asterik must not be installed on your system. By not installing
these packages you can ensure that your system operates at a greater
level of security."
Obviously this is incomplete, and I can't think of a more useless
piece of equipment than a Unix box without Uucp or other networking.
Also, this may have changed since the EAP release as I have not
been able to finde a similar referance in the newer documentation.
Certainly what is said above about not including Uucp if you want
more security is true. For one thing it precludes others from
executing remote jobs on your system and keeps your data from
leaking out accross the telephone lines.
Is UUCP inscure for other reasons? Are there Trogens in UUCP
that have not been removed? What exactly does the "Orange book"
say about Uucp and networking in general?
--
+- Bill England, wengland at stephsf.COM -----------------------------------+
| * * H -> He +24Mev |
| * * * ... Oooo, we're having so much fun making itty bitty suns * |
|__ * * ___________________________________________________________________|
More information about the Comp.unix.sysv386
mailing list