Xref: utzoo comp.unix.programmer:1311 alt.sources.d:1613
Path: utzoo!utgpu!cs.utexas.edu!uwm.edu!spool.mu.edu!snorkelwacker.mit.edu!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.programmer,alt.sources.d
Subject: Re: C2 secure systems and the superuser
Message-ID: <5988:Mar1400:07:0391@kramden.acf.nyu.edu>
Date: 14 Mar 91 00:07:03 GMT
References: <1991Mar13.042033.12450@convex.com> <19103@rpp386.cactus.org> <1991Mar13.185609.21132@convex.com>
Organization: IR
Lines: 37

In article <1991Mar13.185609.21132@convex.com> tchrist@convex.COM (Tom Christiansen) writes:
> From the keyboard of jfh@rpp386.cactus.org (John F Haugh II):
> :In article <1991Mar13.042033.12450@convex.com> tchrist@convex.COM (Tom Christiansen) writes:
> :>I maintain that both "auth" and "sysadmin" give you indirect
> :>root privileges.

Undoubtedly you would stop complaining if ``auth'' were named
``root-auth'' and ``sysadmin'' were named ``root-sysadmin''.

> :Perhaps "sysadmin" also lets you crash
> :the machine by unmounting critical volumes or over-mounting
> :others.  A quick look at the audit logs will reveal what
> :happened.
> Audit logs can be altered once you are powerful enough.  And
> it's important to stop it from happening in the first place.

The situation is no worse than the situation where ``sysadmin'' equals
``root'' to begin with.

The way UNIX is typically used, you have about three levels of users:
root, independent ``system'' uids and gids, and normal users. If you
have an operation that uses root privileges but you can downgrade it to
a system uid or gid, you make it at least nominally more difficult to
break root, and you reduce the chance that a bug in one program will
bring down the entire system.

Yes, people have to be just as careful with the system uids as with
root. So what? It's no worse than the previous situation, where you'd
need to be root for everything.

I think it would be better for all the system uids to fall within a
special namespace or uid-space. That way it would be hard not to notice
that you're dealing with a system uid. But the concept of having more
structure than ``root'' and ``everyone else'' is inherently sound in any
case.

---Dan