Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!uunet!ficc!peter From: peter@ficc.uu.net (Peter da Silva) Newsgroups: comp.unix.wizards Subject: Re: Getting rid of the root account Message-ID: <4554@ficc.uu.net> Date: 14 Jun 89 20:25:30 GMT References: <127@orchid.warwick.ac.uk> <16659@rpp386.Dallas.TX.US> <16662@rpp386.Dallas.TX.US> Organization: Xenix Support Lines: 53 In article <16662@rpp386.Dallas.TX.US>, jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes a whole bunch of stuff about trusted computing bases (which he abbreviates throughout as TCB without explaining this abbreviation)... > Your assumption is that you will be able to obtain, through some > machinations an arbitrary privilege. A system with this as a flaw is > open to more direct attacks than having bogus file systems mounted. Actually that's a pretty direct attack. But, yes, I'm assuming that you will be able to obtain, though some machinatins, any arbitrary privilege. I have read somewhat about the subject, and I find it hard to credit that a useful system could be built that will satisfy all the requirements of a TCB. Security and convenience are diametrically opposed goals. In any real system that's open enough to get any actual work done, there will be holes. No matter how many people work though the code in an attempt to verify it... an operating system is far more complicated than any mathematical proof, for example, and look at the work necessary to validate one of those. So all you get for your effort is a warm fuzzy feeling that your system is secure. If you really want security, lock the terminal and computer up in a faraday cage, and don't let anything in or out except well filtered line current. Dropping back a few notches to UNIX, now, let's consider a real system. One that's sitting in a computer room with maybe a locked door keeping people from sliding in a boot tape and hitting restart. Minimal physical security. That's about the closest thing to a secure system 99% of the people need. Now, what advantage would ripping root into a dozen seperate capabilities (yet with complex interactions that have to be checked) give a system like that? > You assume a trusted system is going to trust any data being imported? I assume a real system outside the DoD is going to allow people to do real work. And, frankly, I don't care what a system inside the DoD allows. > The objections Peter has raised display > a severe lack of understanding about the current state of the art in > trusted systems designs. We're not talking about DoD-certified paranoid systems in Falls Church, we're talking about the typical UNIX system: a departmental or single-user computer doing software development, accounting, engineering, etc... -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.