Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!olivea!uunet!mcsun!ukc!slxsys!ibmpcug!mantis!tony From: tony@mantis.co.uk (Tony Lezard) Newsgroups: comp.sys.novell Subject: Re: Security Message-ID: Date: 9 May 91 15:06:34 GMT References: <1991Apr30.201436.20973@novell.com> Organization: Mantis Consultants, Cambridge. UK. Lines: 30 keith@ca.excelan.com (Keith Brown) writes: > In article <11467@uwm.edu> jeffd@csd4.csd.uwm.edu (Jeffrey Alan Ding) writes: > >Add Supervisor to the managed users or groups field for your name. That > >way, you can make yourself a supervisor any time you want. > >......... > >This is a grave bug in security if you ask me, cause nothing reveals it > >and the only way you can find out is to look at every user individually. > > > > Don't forget that you have to be SUPERVISOR (or equivalent) to add any > managed users to an accounts flock so this is hardly a "grave bug in > security". You are however correct in pointing out that the security > checker should probably rat on users who have SUPERVISOR as a managed > account. It's worse than that. While security equivalences are non-transitive (ie. If A is security equivalent to SUPERVISOR and B is equivalent to A then B does not get supervisor rights) It is the case that If I manage someone who manages someone else then I can have access to the final person in the chain and have their rights. The chain of managers could be indefinitely long. Furthermore, the person at the end of the chain need not be SUPERVISOR itself but merely security equivalent. Thus SECURITY.EXE needs to be somewhat more sophisticated than might be expected. -- Tony Lezard . E-mail: tony@mantis.co.uk, Snail: Mantis Consultants, Unit 56, St. John's Innovation Centre, Cambridge, CB4 4WS, UK.