Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!mailrus!tut.cis.ohio-state.edu!bloom-beacon!arktouros!dyer From: dyer@arktouros.MIT.EDU (Steve Dyer) Newsgroups: comp.sys.next Subject: addressing the problem of root access via insecure optical filesystems Message-ID: <7569@bloom-beacon.MIT.EDU> Date: 20 Oct 88 02:17:54 GMT References: <360@elan.UUCP> <449@oracle.UUCP> <4005@phoenix.Princeton.EDU> <458@oracle.UUCP> Sender: daemon@bloom-beacon.MIT.EDU Reply-To: dyer@arktouros.MIT.EDU (Steve Dyer) Organization: MIT Project Athena, Cambridge MA 02139 Lines: 55 In article hedrick@athos.rutgers.edu (Charles Hedrick) writes: >Unless they provide some way to lock a given optical disk in the machine >permanently, we sure can't put a system like that out in public. This has little to do with NeXT, except insofaras it addresses some of the security issues surrounding the disk which have been brought up here. At Project Athena here at MIT, the problem of security with publically accessible workstations was recognized early: namely, that it is impossible to trust an arbitrary machine connected to the network. We don't even try--in fact, the root password is the same for all public workstations and is widely published. The Kerberos authentication system developed as part of Athena provides a mechanism for a user on a workstation to positively identify themselves as legitimate users of the services available on the network in the Athena environment. Kerberos is described in the proceedings of the Winter '88 USENIX conference held in Dallas last February. In addressing the problem of NFS access and the ability to rewrite /etc/passwd on the local machine/filesystem, thus giving a workstation access to files owned by arbitrary UIDs, we have introduced the concept of "UID maps" on NFS servers which control access based on the IP address and UID fields of the incoming RPC/NFS packet. In the absence of an installed UID map, the credentials of the incoming request are changed to UID "nobody", analogous to the mapping already enforced in NFS for root access. A new rpc.mountd procedure call which uses Kerberos securely installs a new UID map on the NFS server at the user's request. There are no kernel modifications necessary on the client workstation; just the Kerberos software and a new command used with the mount command which installs the UID map for the user. Inside Athena, these are combined into a single program, "attach", but the individual programs can also be used. UID maps are destroyed at logout time. The changes required to the NFS server are precisely 4 lines of code to the main server dispatch routine, and about 2 pages of code which manage the UID map structures. The NFS server has no knowledge of Kerberos; it merely looks for the presence of an installed UID map. The rpc.mountd program was modified to recognize a new procedure call which installs the UID map using a new system call, after authenticating the request via Kerberos. Although this scheme was developed for Vaxstations and RT/PC running 4.3BSD, it will work with any system providing NFS which supports application access to the RPC layer. We have it running under A/UX right now, and it should be trivial to add it to the NeXT system, which we will once our machines are delivered. If your machines which provide your NFS service come with kernel source code, you should be able to make the necessary modifications with little effort. Kerberos is also used for authentication of other services, such as rlogin, rsh, POP, just to name a few. Naturally, changing these to use Kerberos requires source code. --- Steve Dyer dyer@arktouros.MIT.EDU dyer@spdcc.COM aka {harvard,husc6,ima,bbn,m2c,mipseast}!spdcc!dyer