

security              Technical Information              security




Because COHERENT is  a multi-user, multi-tasking operating system
which  can support  users from  remote  terminals, steps  must be
taken to ensure that the system is secure.  Sensitive information
that is stored on the system must be protected from being read or
copied by  unauthorized persons; files must  be protected against
vandalization by  intruders.  Unless  a reasonable degree  can be
guaranteed, no multi-user  operating system can be trusted to ar-
chive important information.

In one  sense, it is easy  to achieve perfect security  in a com-
puter system.   As Grampp and Morris have noted,  ``It is easy to
run a secure  computer system.  You merely disconnect all dial-up
connections,  put the  machine and  its  terminals in  a shielded
room,  and  post  a guard  at  the  door.''  For practical  uses,
however, security means balancing ease of access against restric-
tiveness:  users should  have  easy access  to  what is  properly
theirs, and  should be barred from system  facilities that do not
belong to them.

The  COHERENT  system  has the  following  tools  to assist  with
security.

_P_a_s_s_w_o_r_d_s Every  user account can be  ``locked'' with a password.
          Each user  can assign her own  password, and the system
          administrator can set passwords for the superusers root
          and bin.

          Passwords  should be  changed  frequently.  A  password
          should have  at least six  characters, should not  be a
          common name  or word,  and preferably should  include a
          mixture  of upper- and  lower-case letters,  to prevent
          decryption by brute-force methods.

          Passwords should be  guarded jealously.  In particular,
          the  password for  the  superuser root  should be  kept
          secret, as  she can read  every file and  execute every
          program throughout the system.

_P_e_r_m_i_s_s_i_o_n_s
          Execution of  system-level programs, such  as mount, is
          restricted  to the superuser  root.  This  prevents in-
          truders from seizing  superuser permissions through un-
          authorized manipulation  of system  services.  Ordinary
          users are  also restricted from  directly access system
          devices, for the same reason.

_E_n_c_r_y_p_t_i_o_n
          The command  crypt performs rotary  encryption, similar
          to that  used by the  German Enigma machine.   Files of
          sensitive information  should be encrypted,  to protect
          them against being  read by unauthorized persons.  Note
          that encryption  is the  only true defense  against un-
          authorized reading: not  even the superuser can read an
          encrypted file unless she has the encryption key.


COHERENT Lexicon                                           Page 1




security              Technical Information              security




Many COHERENT  systems have only one user  and are not networked;
for such  installations, the normal  level of security  may be an
annoyance.   Passwords can  be turned  off  by using  the command
passwd to set the password to <return>.  The command chmod can be
used to  widen access to devices  and system-level utilities; see
the Lexicon entry for chmod for more information on file access.

Security  ultimately is a  system-wide responsibility.   To quote
Grampp and  Morris, ``By far, the greatest  security hazard for a
system ...  is the set of  people who use it.   If the people who
use a  machine are naive about security  issues, the machine will
be vulnerable regardless of what is done by the local management.
This applies particularly to the system's administrators, but or-
dinary users should also take heed.''

***** See Also *****

chmod, crypt, passwd, technical information
Grampp FT, Morris  RH: UNIX operating system security.  _A_T&_T _B_e_l_l
_L_a_b _T_e_c_h _J 1984;8:1649-1672.




































COHERENT Lexicon                                           Page 2


