Path: utzoo!attcan!uunet!cs.utexas.edu!chinacat!sequoia!rpp386!jfh
From: jfh@rpp386.cactus.org (John F Haugh II)
Newsgroups: comp.unix.internals
Subject: Re: Complex security mechanism is unsecure
Message-ID: <18816@rpp386.cactus.org>
Date: 13 Dec 90 13:59:57 GMT
References: <18808@rpp386.cactus.org> <6886@titcce.cc.titech.ac.jp>
Reply-To: jfh@rpp386.cactus.org (John F Haugh II)
Organization: Lone Star Cafe and BBS Service
Lines: 39
X-Clever-Slogan: Recycle or Die.

In article <6886@titcce.cc.titech.ac.jp> mohta@necom830.cc.titech.ac.jp (Masataka Ohta) writes:
>>you should =always= execute with the
>>least amount of privilege required to perform the task at hand.
>
>"=always="? No, "unless the security mechanism become complex" is
>the condition.

No, there are no exceptions - the correct response is "always".
In the case of complex security mechanisms the correct response
is "and particularly in the case of complex security mechanisms".

The glossary of the friendly neighborhood Orange Book says ...

	"Least Privilege:  This principle requires each subject
	 [program -ed] in a system be granted the most restrictive
	 set of privileges (or lowest clearance) needed for the
	 performance of authorized tasks.  The application of this
	 principle limits the damage that can result from accident,
	 error, or unauthorized use."
	 
>But, the relationships of management related files are already very
>complex. So, don't bring extra complexity such as a non-root setuid
>program.

Unless there is a requirement for root permissions, adding root
permissions is an unneeded complexity.  It requires that =every=
system call which behaves differently from non-root to root users
be analyzed for unexpected behavior.

There should be no difference in the precautions taken when you
are writing a set-UID "uucp" program as when writing a set-UID
"root" one.  If you adhere to this you will have a program which
=cannot= be less secure simply because any incorrect or unauthorized
action performed while UID "uucp" could also be performed while
UID "root" with the "root" executed functions succeeding while the
"uucp" ones would fail.
-- 
John F. Haugh II                             UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832                           Domain: jfh@rpp386.cactus.org