Security on A/UX

wtr at moss.ATT.COM wtr at moss.ATT.COM
Tue Oct 4 03:16:07 AEST 1988 

In article <3242 at emory.uucp> km at emory.uucp (Ken Mandelberg) writes:

>We are starting to think about using A/UX for student Unix workstations
>in our lab. One concern in this environment is security. There are
>probably lots of issues to consider but the first one that comes to
>mind is the floppy disk.

>1) It would seem that a student could do mischief by putting in a MacOS
>systems floppy and pushing reset. Once in MacOS he could have his way
>with the hard disk. Is there a way to disable boots from floppy without
>physically disconnecting it?

Disable reset?  Or lock the main cabinet away.  If you don't need to
allow the students access to the main console, then just run 
dumb terminals off the box and lock it up.

>2) Even from A/UX the floppy is a problem. It seems a shame not to
>allow students to have small personal filesystems on floppy, but if
>mount access is allowed there is little to stop the student from
>presenting a file system with a setuid program on it. I guess the thing
>to do here is write a setuid frontend to mount that does a fsck, mounts
>only in a prescribed place, and searches the floppy for setuid
>program.

another possible solution would be to show the students how to
use cpio to backup a filesystem (their own)  then a student could 
just carry around a disk with their files on it, and move them easily 
between machines.  not as "neat" as mounting the floppy, but safer
and also a lot faster disk access for the student once they've
uploaded.

>What are the other security issues to consider?

a similar problem as #1, but with the student gaining root 
privlege by rebooting the machine and bringing it up single user.

also, if you are going to be using this setup for homework/class
assignments where the students are all doing individual work
of an identical nature (e.g. "problem #5 on page 69 of your text"),
then it's a good idea to warn students to set their file
access to 700 (rwx------) to prevent the 'shared homework'
syndrome.

i'm not real familiar with A/UX, having only played with it
a couple of times.  however, these problems are inherent in
any small pc-base-unix/workstation where the user has access
to the hardware itself.  ( I'm running microport SV/AT on an
AT-clone ).

good luck with it! hope this has helped.

>Ken Mandelberg      | km at mathcs.emory.edu          PREFERRED

=====================================================================
Bill Rankin
Bell Labs, Whippany NJ
(201) 386-4154 (cornet 232)

email address:		...![ att ulysses allegra ]!moss!wtr
			...![ att akgua watmath  ]!clyde!wtr
=====================================================================

More information about the Comp.unix.aux mailing list