Xref: utzoo comp.unix.internals:2544 comp.unix.admin:1591 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!execu!sequoia!rpp386!jfh From: jfh@rpp386.cactus.org (John F Haugh II) Newsgroups: comp.unix.internals,comp.unix.admin Subject: Re: Unix security additions Message-ID: <19208@rpp386.cactus.org> Date: 15 Apr 91 12:18:09 GMT References: <39950@cup.portal.com> <1991Mar14.230944.9184@eci386.uucp> <1991Mar22.024124.3238@ec <1092@mwtech.UUCP> Reply-To: jfh@rpp386.cactus.org (John F Haugh II) Organization: Lone Star Cat Emporium and BBQ Grill Lines: 46 X-Clever-Slogan: Help Prevent Robbery. Tax the IRS. In article <1092@mwtech.UUCP> martin@mwtech.UUCP (Martin Weitzel) writes: >jfh> At some point in time you have to trust the people you've hired to do >jfh> their jobs. > >Wait a minute: Given the scenario that in a (badly configured) UNIX system >I have to give a privilegded account to those people who have to care for >backups. Now I complain: This is really bad - I don't trust these people and >fear they will use their privilegded account to sneak into other user's files. THEN DON'T DO IT. It makes absolutely no sense whatsoever to have passwords on the user accounts then to give superuser authority to someone that you know is going to break into the other user's accounts. If you give the authority to modify any user account to someone you can't trust to not abuse the authority, you have the same situation. And so on for every privileged role. >Under this circumstances, would it be wise to trust the same people that >they don't take the backup tapes and read them anywhere else? If you don't have physical security (i.e., they can take the tapes anywheres they want) and you can't trust your personnel, I'd suggest you turn off the computer system and just give up. Basically your complaint is that you must give privileges to people that you can't trust not to abuse them, and that you can't control the data once they've take it. Sounds like you got a rather serious problem on your hands. Good luck. >My claim still is that this can be done without changing the kernel, and >that the added security you win *if* you make enhancements to the kernel >is far less than the chance that some people you hired to do their jobs >CAN'T be trusted. These are not the same problems. They aren't even related to each other. Particularly since the former is meant to prevent things that the later can't address, such as people you didn't hire accessing your system. The only completely secure computer is sitting in a room, with no outside connections, powered off, and encased in concrete. If you insist on hiring people you think are going to violate the systems security, there is no point in keeping out the rest of the world. You've already given the keys to the bad guys. -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "If liberals interpreted the 2nd Amendment the same way they interpret the rest of the Constitution, gun ownership would be mandatory."