Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!usenet.ins.cwru.edu!ncoast!allbery
From: allbery@NCoast.ORG (Brandon S. Allbery KB8JRR)
Newsgroups: comp.unix.internals
Subject: Re: Complex security mechanism is unsecure
Message-ID: <1990Dec19.025634.7585@NCoast.ORG>
Date: 19 Dec 90 02:56:34 GMT
References: <18826@rpp386.cactus.org> <18827@rpp386.cactus.org> <6948@titcce.cc.titech.ac.jp>
Reply-To: allbery@ncoast.ORG.ORG (Brandon S. Allbery KB8JRR)
Followup-To: comp.unix.internals
Organization: North Coast Computer Resources (ncoast)
Lines: 38

As quoted from <6948@titcce.cc.titech.ac.jp> by mohta@necom830.cc.titech.ac.jp (Masataka Ohta):
+---------------
| >>is exported with root access converted to nobody (but, uucp to uucp,
| >>daemon to daemon). Then, list what system administrators should take care.
| 
| >How about starting with exporting the file system read-only and only
| >to systems which are properly administered.
| 
| Nice start. Please continue, until you recognize it complex.
+---------------

It became complex when you exported the filesystem via NFS.  Additional users
adds almost nothing to the resulting complexity....

You are proposing that there should be one user:  root.  MS-DOS and other
single user operating systems work this way, and are anything but secure.

Alternatively, you are suggesting that anything root interacts with be owned
by root, and that user files may be owned by and modifiable by the user
provided root never do anything with them.  You want a complex security
nightmare?  Try to maintain this system without *ever* having a process with
root permissions interacting with a file that isn't owned by root.

You aren't proposing anything simpler, you're proposing something that looks
simpler on paper but has many hidden compexities.  The layout is simple, but
the actual administration is complex.

THERE IS NO WAY AROUND THIS.  The only way to get simple security is to put a
lock on the door to the computer room and attach no terminals or computers
outside that room, and let nobody in or out of the room for any reason.  And I
can argue that *that* can not be trusted.

++Brandon
-- 
Me: Brandon S. Allbery			    VHF/UHF: KB8JRR on 220, 2m, 440
Internet: allbery@NCoast.ORG		    Packet: KB8JRR @ WA8BXN
America OnLine: KB8JRR			    AMPR: KB8JRR.AmPR.ORG [44.70.4.88]
uunet!usenet.ins.cwru.edu!ncoast!allbery    Delphi: ALLBERY