Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!wuarchive!mit-eddie!bloom-beacon!eru!hagbard!sunic!kullmar!pkmab!ske
From: ske@pkmab.se (Kristoffer Eriksson)
Newsgroups: comp.unix.internals
Subject: Re: Complex security mechanism is unsecure
Message-ID: <4645@pkmab.se>
Date: 15 Dec 90 13:01:09 GMT
References: <4627@pkmab.se> <18808@rpp386.cactus.org> <6886@titcce.cc.titech.ac.jp>
Organization: Peridot Konsult i Mellansverige AB, Oerebro, Sweden
Lines: 51

In article <6886@titcce.cc.titech.ac.jp> mohta@necom830.cc.titech.ac.jp (Masataka Ohta) writes:
>In article <4627@pkmab.se> ske@pkmab.se (Kristoffer Eriksson) writes:
>
>>(If, in stead, you break into that account by using some bug in some
>>set-uid program owned by that account, then it wouldn't exactly be more
>>secure to have that program owned by root, so that is no way to avoid my
>>argument.)
>
>The complexity of the security mechanism is different.

What security mechanism are you talking about? What is more complicated?
And I don't think it is relevant, anyway.

>>But that is fairly easy to prevent for a non-user account. Just make it
>>impossible to login to that account.
>
>Yes, it is fairly easy if you know what to do.

I don't see how it is significantly easier to protect the root account alone.

>But, with a complex security mechanism, it is difficult for an average
>system administrator to know what to do.

I don't find it that complex. Really, I think that the addition of more
than one ring of security by using other uids than only root is very
valuable and costs next to nothing in extra complexity.

>A careless administrator may even think that it is safe to give some
>half-trusted user "uucp" privilege.

Make the administrator do all work in assembler, and maybe he won't dare
do anything at all, and we will get a very "secure" system...

No, I think this argument is of no significance. To prevent carelessnes, you
want to remove a useful security feature? My judgement is that root would
become more vulnerable to simple mistakes, rather than less.

>"uucp" has large capability over files owned by "uucp" and referenced by
>"root". That is the reality.

When does root need to reference uucp files?

>"=always="? No, "unless the security mechanism become complex" is
>the condition.

It doesn't become very much more complex.

-- 
Kristoffer Eriksson, Peridot Konsult AB, Hagagatan 6, S-703 40 Oerebro, Sweden
Phone: +46 19-13 03 60  !  e-mail: ske@pkmab.se
Fax:   +46 19-11 51 03  !  or ...!{uunet,mcsun}!sunic.sunet.se!kullmar!pkmab!ske