"asroot" command (was: Enchancements to SCO UNIX C2 Security)

[Brandon S. Allbery KB8JRR]

As quoted from <b1ii3e.4n3 at wang.com> by fitz at wang.com (Tom Fitzgerald):
+---------------
| paulz at sco.COM (W. Paul Zola) writes:
| >   The utility, asroot(ADM) that allows an authorized user to run a defined 
| >   set of commands as superuser without the root password. 
| 
| One warning to people who install this thing - commands like "asroot" (and
| "sudo", a PD version of the same thing) are substantial security holes.
+---------------

Yes.  I plan to wipe it off our systems after installing the update, just as a
successfully campaigned to remove a similar command (homegrown) from ncoast.
I can't justify its use against the security risk.

There are more security holes in su, though (even in SCO UNIX) --- or, should
I say, they aren't actually in su per se but can use su to be activated.  The
technique uses su -c, although under BSD one could use TIOCSTI to do it as
well.  The only fix for this is to run su always with an explicit pathname,
preferably after moving it from /bin to somewhere else --- because the only
other "fix" would completely gut the shell.

++Brandon
-- 
Me: Brandon S. Allbery			    VHF/UHF: KB8JRR on 220, 2m, 440
Internet: allbery at NCoast.ORG		    Packet: KB8JRR @ WA8BXN
America OnLine: KB8JRR			    AMPR: KB8JRR.AmPR.ORG [44.70.4.88]
uunet!usenet.ins.cwru.edu!ncoast!allbery    Delphi: ALLBERY