[3981] in Athena Bugs
Re: XLogin source
daemon@ATHENA.MIT.EDU (probe@ATHENA.MIT.EDU)
Mon Jan 15 21:22:19 1990
From: probe@ATHENA.MIT.EDU
Date: Mon, 15 Jan 90 21:21:56 -0500
To: cfields@ATHENA.MIT.EDU
Cc: bugs@ATHENA.MIT.EDU, jik@ATHENA.MIT.EDU
In-Reply-To: Craig Fields's message of Mon, 15 Jan 90 21:00:35 -0500,
Reply-To: Richard Basch <probe@MIT.EDU>
From: cfields@ATHENA.MIT.EDU
Date: Mon, 15 Jan 90 21:00:35 -0500
I was poking around the afs directories the other day, and found that
the source to xlogin in /afs/athena.mit.edu/astaff/project/xdm (and
everything in that directory) is world readable. This greatly
facilitates the writing of login Trojan Horses. So if you're concerned
about that...
Craig
It may be easy to write a login Trojan Horse, but not with those
sources... those were sources that were being developed; they bear no
resemblance (not even in user-interface) to the current xlogin.
All of the software that Athena produces is actually in the public
domain, and can probably be obtained via many channels. The only reason
that most of it is not accessible directly is that it is intermixed with
all the licensed sources.
There are other mechanisms being developed to avoid having trojan horse
login programs from being placed on public workstations (and I am not
referring to the crock where rebooting a workstation cleans up most
hacks); sometime I will explain them to you, as I am sure we will be
meeting sometime soon.
-Richard
