Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!ccut!titcca!cc.titech.ac.jp!necom830!mohta
From: mohta@necom830.cc.titech.ac.jp (Masataka Ohta)
Newsgroups: comp.unix.internals
Subject: Re: Complex security mechanism is unsecure
Message-ID: <6922@titcce.cc.titech.ac.jp>
Date: 16 Dec 90 14:09:12 GMT
References: <4627@pkmab.se> <18808@rpp386.cactus.org> <6886@titcce.cc.titech.ac.jp> <4645@pkmab.se>
Sender: news@cc.titech.ac.jp
Organization: Tokyo Institute of Technology
Lines: 53

In article <4645@pkmab.se> ske@pkmab.se (Kristoffer Eriksson) writes:

>What security mechanism are you talking about? What is more complicated?

>I don't see how it is significantly easier to protect the root account alone.

Then, for example, think about a case where NFS mounted file system
is exported with root access converted to nobody (but, uucp to uucp,
daemon to daemon). Then, list what system administrators should take care.

>I don't find it that complex.

Do you still think so?

>Really, I think that the addition of more
>than one ring of security by using other uids than only root is very
>valuable and costs next to nothing in extra complexity.

And you can have seven levels of security like Multics without
extra complexity.

>My judgement is that root would
>become more vulnerable to simple mistakes, rather than less.

My point is that root become more vulnerable if it trust uucp, daemon
and others.

>>"uucp" has large capability over files owned by "uucp" and referenced by
>>"root". That is the reality.

>When does root need to reference uucp files?

It is not necessary, but on my 4.2BSD base system,

% ls -l /usr/bin | grep uucp
-rws--x--x  2 uucp        86016 May 19  1989 cu
---s--s--x  2 uucp        53248 Apr  7  1988 ruusend
-rws--x--x  2 uucp        86016 May 19  1989 tip
---s--s--x  1 uucp        61440 Apr  7  1988 uucp
-rwxr-xr-x  1 uucp        49152 Apr  7  1988 uudecode
---s--s--x  1 uucp        24576 Apr  7  1988 uulog
---s--s--x  1 uucp        20480 Apr  7  1988 uuname
---s--s--x  1 uucp        24576 Apr  7  1988 uupoll
---s--s--x  2 uucp        53248 Apr  7  1988 uusend
---s--s--x  1 uucp        20480 Apr  7  1988 uusnap
---s--s--x  1 uucp        65536 Apr  7  1988 uux

Moreover, if I remember correctly, in 4.2BSD, /etc/syslog was owned
by daemon, which will be executed by root at boot time from /etc/rc.local.
At least, on SunOS 3.5, /usr/etc/in.syslogd is owned by daemon and
executed by root.

					Masataka Ohta