Not logged in
Log in now
Create an account
Subscribe to LWN
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
Rackable Systems acquires SGI
Posted Apr 1, 2009 18:21 UTC (Wed) by ajross (subscriber, #4563)
It feels just wrong somehow.
Posted Apr 1, 2009 18:49 UTC (Wed) by kent (guest, #3834)
Posted Apr 1, 2009 18:55 UTC (Wed) by quotemstr (subscriber, #45331)
Posted Apr 1, 2009 19:14 UTC (Wed) by kent (guest, #3834)
Irix also holds the world record for lowest TCP port number
involved in security problems, 1/tcp:
Posted Apr 1, 2009 23:53 UTC (Wed) by jd (guest, #26381)
Posted Apr 2, 2009 11:22 UTC (Thu) by tialaramex (subscriber, #21167)
The A and B ratings you're talking about don't involve actual security, but only certifying to a standard. It is perfectly possible to have gaping holes in your system's security, so long as the design document doesn't call enough attention to them for the audit to notice.
A conscientious developer would obviously want to not only meet the requirements of the standard but also build a system that was secure in practice. But not everyone is conscientious, and those who are may find that they have too few resources and the business prioritises the certification.
As an example, it is not uncommon to find that you can meet the requirements by writing "After installation, the following four pages of instructions must be followed in order to set and enable the access password". The auditors will follow the steps, and sure enough they work. But unfortunately 99% of real world installs will not have these complex steps followed and will remain insecure.
Or you may decide that some of the requirements impose onerous restrictions on development systems, so you provide a simple dip switch which disables key security features. Certified systems have the dip switch unset, but it's shipped set for the convenience of development and testing staff and nobody changes it unless they're explicitly told to do so on a production machine. Even support engineers may set it, and forget to put it back. So in practice again 99% of real world systems are insecure.
Rainbow Books & Security
Posted Apr 3, 2009 0:20 UTC (Fri) by jjs (guest, #10315)
Posted Apr 2, 2009 13:54 UTC (Thu) by ghamlin (guest, #57789)
Irix had many fine qualities. SGI packaging sensibilities were actually somewhat similar to Redhat in many ways. Most commerical Unixes shipped aweful configuration files. Linux was always better here, IMO. Irix was above average.
However, for all its features. Irix had the worst security of an Unix I can think of.
SUID executables that don't set PATH. 'EZsetup' accounts that were easy to leave enabled by accident. Other odd accounts with default passwords for 'demo software'.
SysV style 'chown give-away' worked. So if you could create a file somewhere you could set the permission and then give it to a user. This leads to all sort of bizarre vulnerabilities when utilities check to see if the file's ownership and permissions are safe before trusting its contents.
However, Irix could be secured. The OS was fairly decent. They just made it a challenge. Basically don't trust anything they wrote with SUID. Remove all their cronjobs and wonder what bizzare 'feature' you broke. :)
They did have some nice features... GL, FAM, XFS. They would periodically show off and set new IO records with their architecture, but they also some fancy techniques to set records that were a bit dodgy that have not been ported elsewhere. (I vaguely recall it was possible to do device-to-device DMA transfers for example)
Really, SGIs were just nice machines not everything they did was polished, but the systems were pleasant and shiny. They have never been smart on the business side however. They failed over and over again. The visual workstations were a failure. They were hurt by the Itanium failure. I was pleased with their Linux work, but I lost a lot of respect for them when they stripped Cray of the T3E and killed that product rather than allow a much cheaper HPC solution to exist. They were not the most common machines to compile software on. Sometimes I would see messages from build scripts like 'Holy crap that worked send me an email at ...' when I would finish building things.
* chown give-away mean root privilege is not require to assign ownership to someone else for example:
$ touch my_gift_to_you
$ chmod 600 my_gift_to_you
$ chown you my_gift_to_you
Posted Apr 1, 2009 21:10 UTC (Wed) by cdarroch (guest, #26812)
blew anything one's personal Hercules Graphics Card could do out of the water.
Posted Apr 1, 2009 22:19 UTC (Wed) by nix (subscriber, #2304)
(My first exposure to Unix was SGI Indigos. Those were wonderful machines.
How are the mighty fallen...)
Posted Apr 1, 2009 23:55 UTC (Wed) by jd (guest, #26381)
Posted Apr 2, 2009 1:39 UTC (Thu) by rahvin (subscriber, #16953)
Posted Apr 2, 2009 0:27 UTC (Thu) by ncm (subscriber, #165)
Posted Apr 1, 2009 19:16 UTC (Wed) by BrucePerens (guest, #2510)
Posted Apr 1, 2009 22:34 UTC (Wed) by ncm (subscriber, #165)
Posted Apr 2, 2009 2:21 UTC (Thu) by MattPerry (guest, #46341)
People without the mentality of a five year old. Not everyone acts like a moron on April 1.
probably not a joke
Posted Apr 5, 2009 11:15 UTC (Sun) by dlang (✭ supporter ✭, #313)
so unless they fooled their own people (and didn't send out a correction afterwords), this isn't a joke.
Posted Apr 1, 2009 19:58 UTC (Wed) by jengelh (subscriber, #33263)
Posted Apr 1, 2009 20:03 UTC (Wed) by arekm (subscriber, #4846)
Posted Apr 1, 2009 20:07 UTC (Wed) by lmb (subscriber, #39048)
Posted Apr 3, 2009 2:19 UTC (Fri) by stevelord (guest, #53493)
There is some cool stuff in CXFS, but it was always very complex and extremely hard to deal with inter machine deadlocks. The version which became a product was the simplified version too.
Posted Apr 2, 2009 8:29 UTC (Thu) by barryn (subscriber, #5996)
Am I the only person who thinks the SGI press release is burying the lede? Here's a Bloomberg article that doesn't (IMO):
Silicon Graphics Files Bankruptcy With Plans for Sale
BTW, here's the Form 8-K that SGI filed with the SEC regarding this matter. Did anyone else notice this? "The assets to be acquired do not include certain non-core patents, which will be retained by SGI." I don't know if that will have real-world consequences to anyone other than SGI, but it caught my eye nonetheless.
Posted Apr 3, 2009 3:43 UTC (Fri) by larry (subscriber, #6023)
Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds