Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!cs.utexas.edu!uunet!uvm-gen!tnl!norstar
From: norstar@tnl.UUCP (Daniel Ray)
Newsgroups: comp.unix.wizards
Subject: Re: What kinds of things would you want in the GNU OS?
Summary: unchangeable log files immune to root
Message-ID: <214@tnl.UUCP>
Date: 30 Jun 89 16:42:52 GMT
References: <20037@adm.BRL.MIL> <205@marvin.moncam.co.uk> <1035@riddle.UUCP> <8906272337.AA24210@cscwam.UMD.EDU>
Organization: The Northern Lights, Burlington VT
Lines: 35

In article <8906272337.AA24210@cscwam.UMD.EDU>, stripes@wam.UMD.EDU writes:
> ...
> I would like to see a few extra protection bits in the new Kernal.  A bit
> for append-only (the kernal fseeks to the end of the file before each write).
> This could be used for all sorts of logs where you are more concerened with
> preserveing past history then makeing shure that the new entrys are Ok.
> (or for game hi-scores, or for people to drop messages into, or whatever).
> It also seem somehow "cleaner" to set the append bit for a directory to
> indicate that people can create files here, but not unlink/move other's files
> ...

This is a great idea, I think! A while back I thought of something like this
which would work as follows:
  1. A new (or new use of a) directory permission bit, such as using SUID/SGID
or something new, would designate the dir as "append only except edit in
single user mode". This would apply to root as well. So, audit trails and
logfiles could not be modified except when the machine was brought down to
single user mode at the local console. Files in the dir could be appended
to, however, if the mode on the file permitted writes. Existing data could
not be modified by anyone in multiuser mode.
  2. The permission bit could only be unset in single-user mode where the
person has local access to the cpu.
  3. If someone broke into the machine and became root remotely, they could
not erase their logged attempts to clean up after the breakin.

One of the big flaws of UNIX is that one root can do battle with all others,
so the breakin root can take over. The kernel should enforce some accesses
based on locality to the physical machine instead of by login/su validation.

norstar
The Northern Lights, Burlington Vermont             |      You are down
tnl dialins: 802-865-3614 at 300-2400 bps.        ` | /    down down
------------------------------------------      --- * ---  the dark
uucp: uunet!uvm-gen!tnl!norstar or                / | .    black waters.
{decvax,linus}!dartvax!uvm-gen!tnl!norstar          |