Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site ucbvax.ARPA Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!ihnp4!ucbvax!wizard%wisdom.bitnet@WISCVM.ARPA From: wizard%wisdom.bitnet@WISCVM.ARPA Newsgroups: net.unix-wizards Subject: new user id system idea. Message-ID: <6611@ucbvax.ARPA> Date: Tue, 30-Apr-85 06:47:42 EDT Article-I.D.: ucbvax.6611 Posted: Tue Apr 30 06:47:42 1985 Date-Received: Wed, 1-May-85 03:16:30 EDT Sender: daemon@ucbvax.ARPA Organization: University of California at Berkeley Lines: 110 From: Mike Trachtman an idea for protection sceme for unix. Note: this is not entirely thought out, any comments are welcome. It seems to me that having only all or no privledges, is not quite appropiate for systems that support mov%than 20 users. One would like to give teaching assitants access to make some accounts, have other users be allowed to do backups, have some users, be allowed to access certain devices, etc., w/o giving them full su privs. This is of course doable with appropiate suid programs, but such programs are a workaround, and a pain to write. Thus I think Unix should have more than one type of priv. also, I think that the group idea is not really used well at most Unix Installations, and should be slightly modified to deal with it. Lastly I think, that as alot of software gets strange ideas, when a person is running as su, as to who is running, that system should be slightly changed also. Thus I suggest the following: 1) have a three layer permission heirechy (rather than 2 as now) root |-------|--------|--------|--------| group group group group group leader leader leader leader leader | | | | | | | | | | | | | | | | | | | users and more users .................. with uid-0 being root uid 1-255 being group leaders and other users, having the gid coded in the hi word and user within the group, coded in the low word. Users could then have group sets, and users sets also. ( I think that becoming su, should be just adding root, (or some other uid) to your uid set). the following permissions would be understood by the system 1) be allowed to set permission bits 2-5) be allowed to read/write/execute/search any file or directory. 6-9) be allowed to read/write/execute/search any file or directory belonging to your group. 10-13) be allowed to read/write/create/mount any special file 14) be allowed to do a shutdown 15) be allowed to do certain special system calls (set date) the following convention would be used. uid 0 - has all permissions uid 1-255 have permissins v.s. the group they control uid 1 would have 10-15 (operator group) other uid's as appropiate. This information would be kept in the password file. The password file should be split up. there should be a master file called /etc/passwd which has an entry for each group, which says which entries that group leader can control, and a filename where he can write the accounts he creates. then there would be /etc/passwd[1-255] for each of the groups, where the leader can read/write it. (i.e. owned by that group) (and of course /etc/passwd.hash, which is a hashed table of all the passwd entries. for quick access.) to su, to somthing would make a subshell with the added uid/gid to the uid/gid lists, and the permissions of those accounts added. One side note, It has been discussed whether someone running as root, should have his privs changed when running someone elses suid program. Though in general this is not a problem, the following situation has occurred, and is a problem. assume the games directory is locked, and some game runs suid and does a cd to /usr/games/lib/somthing. then even root can not play that game. (this has happenned with hack) if users permission sets are adopted, then this becomes no problem, as a user would have both hack and root permissions. any files made should be owned by the original user, unless the program makes provision to be owned by somthing else. the uid set should have a known order of uids, first, real uid second, suid uid third... all other added uids. then a program should be able to say setown(uid) and if that uid is in the uid set, then all files created from then on, would have owner set to uid. What do people think ?? Mike Trachtman My address: wizard@wisdom (BITNET) wizard%wisdom.bitnet@wiscvm.ARPA (ARPA/CSNET) wizard%wisdom.bitnet@berkley (ARPA/CSNET) and if all else fails (ONLY for VERY short items) ...!decvax!humus!wisdom!wizard (UUCP) (One should not say anything, when one has nothing to say.)