Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!mips!cs.uoregon.edu!ogicse!zephyr.ens.tek.com!tektronix!percy!m2xenix!quagga!proxima!frcs!paul
From: paul@frcs.UUCP (Paul Nash)
Newsgroups: comp.unix.internals
Subject: Re: Unix security additions
Message-ID: <464@frcs.UUCP>
Date: 19 Apr 91 12:52:06 GMT
References: <1092@mwtech.UUCP> <19208@rpp386.cactus.org> <6783@awdprime.UUCP> <1991Apr18.042212.11738@Think.COM>
Organization: Free Range Computer Systems CC
Lines: 18

Thus spake barmar@think.com (Barry Margolin):
> In article <6783@awdprime.UUCP> Tony Sanders <sanders@cactus.org> writes:
> >What if the backup/restore utilities on the "secure" system used an
> >encryption scheme before writting to tape (like dump|crypt|dd of=/dev/mt,
>
> If the people you're trying to protect against are the operators, this
> isn't much of a solution, since they have to know the password in order to
> do the backups and restores.

Not if you exec the pipeline from inside a suitable setuid program, which
can also contain the key for crypt.  As the program should be unreadable
by everyone (only executable & setuid), this shouldn't be a security breach
of too vast a magnitude.  Restores need someone (trusted) who knows the 
root password and the key (or the root password and knows how to use `strings'.

 ---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---
Paul Nash				   Free Range Computer Systems cc
paul@frcs.UUCP				      ...!uunet!m2xenix!frcs!paul