> On 11-Sep-2003/13:58 -0500, B McAndrews <[EMAIL PROTECTED]> wrote: > >Could someone staighten me out here. When did Unix based system become >the bastion of security? In a former lifetime, I used to work on >VAX/VMS for classified (as in military) work. I can't remember the >issues, but when we started moving off the VAX/VMS over to Unix >workstations, the IT security folks were not at all comfortable with the >security of Unix compared to the VAX/VMS. Does anyone have any insights >as to why that might be?
Your IT security folks were wise. The buffer overrun problem that is common in Unix exploits simply does not exist in VMS. I've been managing VMS systems for 20 years and if I can remember correctly, there were exactly 2 cases where DEC was forced to send out mandatory update CDs to fix major security holes. Solaris, HP-UX, and Linux all experience frequent major vulnerabilities that are usually quickly patched (at least Linux is - HP and Solaris are *much* slower). VMS has access control lists done right. Linux, HP-UX, and Solaris all have pretty limited implementations. VMS has persona system services and multiple privilege levels. The other 3 have exactly 2 privilege levels - either you're root or you're not. VMS has access controls on most objects - batch and print queues, devices, etc. Unix doesn't. In many ways, NT/2k/XP has a better security implementation than Unix (especially file access), although in other ways it's much worse (too much stuff runs in a fully privileged mode and file protections are not utilized the way it should be in order to maintain compability with legacy applications). That doesn't mean you can't run secure production environments on Unix - if I told you that I'd obviously be bs'ing since a lot of people do it. It's just that VMS makes it a lot easier. If I installed a VMS system from its base distribution and put it naked on the Internet, it would not be hacked - either soon or after many months even if didn't apply any updates. Most Unix distributions and Windows will be hacked - either immediately after the system is probed or within days afterwards as vulnerabilities are found unless patches are continually applied. To a very large extent, the security of the system is dependent on the skills of the administrator. You can screw up VMS - I've seen a case where a developer wrote an application that accepted an arbitrary command from an arbitrary host and executed it in a fully privileged context without any sort of validation whatsoever. You can screw up any other kind of system the same way. Good sysadmins that are able to control their environments properly won't let that happen (some sysadmins have the control but not the skills, and some have the skills but not the control). Similarly, if you don't patch your systems (it usually doesn't matter what the OS is), you are asking for trouble. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
