Newsgroups: comp.unix.internals
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!think.com!barmar
From: barmar@think.com (Barry Margolin)
Subject: Re: Unix security additions
Message-ID: <1991Apr22.225119.18315@Think.COM>
Sender: news@Think.COM
Organization: Thinking Machines Corporation, Cambridge MA, USA
References: <6783@awdprime.UUCP> <1991Apr18.042212.11738@Think.COM> <464@frcs.UUCP>
Date: Mon, 22 Apr 91 22:51:19 GMT

In article <464@frcs.UUCP> paul@frcs.UUCP (Paul Nash) writes:
>Thus spake barmar@think.com (Barry Margolin):
>> If the people you're trying to protect against are the operators, this
>> isn't much of a solution, since they have to know the password in order to
>> do the backups and restores.
>Not if you exec the pipeline from inside a suitable setuid program, which
>can also contain the key for crypt.  As the program should be unreadable
>by everyone (only executable & setuid), this shouldn't be a security breach
>of too vast a magnitude.

I generally don't consider solutions that involve unreadable programs as
reasonable.  Security should be based on the authorized person knowing
something (e.g. a password or encryption key) and/or having something (e.g.
a smartcard or retina pattern) that unauthorized people don't.

However, I admit that the above solution isn't *too* bad.
--
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar