Path: utzoo!utgpu!water!watmath!clyde!att!pacbell!lll-tis!helios.ee.lbl.gov!pasteur!agate!saturn!pardo@june.cs.washington.edu
From: pardo@june.cs.washington.edu (David Keppel)
Newsgroups: comp.os.research
Subject: Non-secure workstations (long) (Was: The NeXT Problem)
Message-ID: <5158@saturn.ucsc.edu>
Date: 16 Oct 88 17:27:50 GMT
Sender: usenet@saturn.ucsc.edu
Organization: U of Washington, Computer Science, Seattle
Lines: 36
Approved: comp-os-research@jupiter.ucsc.edu


crum@lipari.usc.edu (Gary L. Crum) writes:
>bzs@xenna (Barry Shein) writes:
>>[ Optical disk == portable file system ]
>Barry's environment where students boot cubes off their own platters
>poses many interesting security problems!  In such an environment, cubes
>cannot "trust" each other because users have their own system disks
>and hence all users are superusers for their respective machines.

I believe (somebody tell me?) that Andrew and possibly some other
systems have solved this.  When you do remote file accesses (e.g.,
mount some file system) you are required to identify yourself.

The "root partition" (e.g., the root of the file system and basic
binaries) are made public, anybody can boot and use them.  When you
boot the machine, it goes and says "I want to mount root, I am
nobody".  The file server (kept in a locked room :-) says "oh, sure,
anybody can look at these" and sends back mount privilege.

When you log in, there aren't any user files mounted.  You give your
password, this sent to the server (e.g., using public-key
cryptography to keep the password secure), giving sure identification
of "you".  The server looks in its access control list, and if you are
there, lets you mount the file system (e.g., /usr).

Finally, even once you have the file system mounted, you still can't
go and clobber everybody else's files, because the file server is
still ultimately responsible for storing the data; when you try to
write back bogus data it says "you are X, you are trying to write on
Y's data, Y didn't say you could, so no go".  Read access goes excatly
the same way.

    ;-D on  ( If it's so damn secure, how did *I* get the password? )  Pardo
-- 
		    pardo@cs.washington.edu
    {rutgers,cornell,ucsd,ubc-cs,tektronix}!uw-beaver!june!pardo