Path: utzoo!attcan!uunet!zaphod.mps.ohio-state.edu!sdd.hp.com!apollo!apollo.hp.com!pato From: pato@apollo.HP.COM (Joe Pato) Newsgroups: comp.sys.apollo Subject: Re: Registries and security Message-ID: <4dbb5bb7.20b6d@apollo.HP.COM> Date: 31 Oct 90 19:27:00 GMT References: <9010291025.AA01144@apo.esiee.fr> Sender: root@apollo.HP.COM Reply-To: pato@apollo.HP.COM (Joe Pato) Organization: Hewlett-Packard Apollo Division - Chelmsford, MA Lines: 91 In article <9010291025.AA01144@apo.esiee.fr>, bonnetf@apo.esiee.fr (bonnet-franck) writes: |> Hi, |> |> I would like to inform Internet APOLLO users that |> it should be VERY important to set only ONE owner of the |> registries using /etc/edrgy ... |> We agree that if you are interested in security you must set owners on the registry and the internal registry objects (the name domains, and each person group or org). You do not, however, need to set these owners to a single individual. |> At the beginning we had set "root.%.%" as the owner |> of all our registries, and it was a security mistake |> |> Now we have set "root.staff.none" as the owner of ALL |> the accounts, in this configuration ONLY "root.staff.none" |> is allowed to modify registries . |> |> In the past anybody was able to add, for example, a |> "root.server.none" entry in the registries and then |> this user could be logged as ROOT on the system ( bad )... |> Your problem must have been that you neglected to set the owner field on the "root" person. (By default the rgy_create tool creates all entries owned by %.%.%.) New objects created by edrgy inherit the ownership information that is attached to the particular naming domain. Given that the root person was owned by %.%.%, then you are right - anyone can create new root.... accounts. Once you set the owner on the root person, however, only that owner will be able to create new "root" accounts. You should read the discussion on owners in the manual and in the reprint of the 1988 Usenix paper included in the "Principles of Domain/OS" manual. |> In order to protect better the system we have protected |> the /etc/edrgy command like the following : |> |> $ lsacl /etc/edrgy |> root.staff.none prwx- |> %.staff.% [Ignore] |> %.%.none [Ignore] |> %.%.% ----k |> There is no need to change the acl on the edrgy program. The program has no special privileges to manipulate the registry - it simply makes the appropriate calls on the rgy_$ library which turn into remote procedure calls to the registry server. All access control checking with respect to operations on the contents of the registry is performed by the registry server. The identity of the caller is established via a cryptographic authentication protocol - so the invoker of the tool has to have logged in and provided a password to successfully manipulate the registry. The problems you have seen are simply that the access control information associated with the registry objects (the owner fields) has been left wide open (%.%.%). |> Of course you have NOT to forget the root.staff.none |> password ... But here we run in a very agressive environement. |> |> I hope this could help. |> |> ------------------------------------------------------------------------ --------| |> bonnetf@apo.esiee.fr | | |> Frank Bonnet | Surfing ... | |> E.S.I.E.E | | |> BP99 93162 Noisy le Grand cedex.FRANCE. | the rest is details ! | |> Fax : 33 1 45 92 66 99 | | |> ------------------------------------------------------------------------ --------| |> -- Joe Pato Cooperative Object Computing Operation Hewlett-Packard Company pato@apollo.hp.com