Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!uunet!mcvax!ukc!warwick!mirk From: mirk@warwick.UUCP (Mike Taylor) Newsgroups: comp.unix.wizards Subject: Getting rid of the root account (Was: GNU OS) Summary: Bad idea - Mr. Thomson knew what he was doing. Keywords: Guinness, phlegm, mackerel, intestines Message-ID: <1961@ubu.warwick.UUCP> Date: 2 Jun 89 18:43:09 GMT References: <106326@sun.Eng.Sun.COM> <4315@ficc.uu.net> <16597@rpp386.Dallas.TX.US> Sender: news@warwick.UUCP Reply-To: mirk@uk.ac.warwick.cs (Mike Taylor) Organization: Computer Science, Warwick University, UK Lines: 60 In article <3, I think> jfh@rpp386.cactus.org (John F. Haugh II) writes: > I think [a previous poster] meant getting rid of UID == 0 being a > privileged user. Again, this an Orange Book requirement. It also > makes much sense. Programs should have privilege, not users. The > ability to access a program can then be limited to a collection of > users or groups. Uuuh, are you sure? There seems to be a prevailing feeling that the whole of UNIX is something that was cobbled together ar random by people writing bits without thinking about whether or not they were secure, made sense or whatever. While this is largely true of Berkeley UNIX, or at least, of those bits that have been added since V7, the concept of a root id belongs to fundamental core UNIX, it is one of the concepts that Thompson, Richie and friends though long and hard about when they were designing UNIX. Granted, at that time, it was never intended primarily to be a *secure* system, but it was *very* carefully designed, nothing was in that hadn't been thought through, and root is no exception. Like GOTO, I maintain that the problem with root is not that it is a flawed copncept, but that is is misused, overused, and general ABused by people who should know better. The UNIX way of handling privilege IS fundamentally secure, and it's pretty elegant to boot. You have exactly one privileged user, and one way of inheriting that privilege -- the setuid mechanism. The fact that many UNIX installations are insecure is due to the mess that people have buult on top of that idea, not on the idea itself. Most UNIXes have many things setuid to root which really dont need to be. For example ... > Or use /etc/group to allow some group of users to newgrp to an > administrative account. The group ``dumpers'' might exist for persons > taking file system dumps. All of the dumpable devices would then have > file group ``dumpers''. Root wouldn't have to be used for dumps any > longer. You can already do this -- the mechanisms are in place and have been since way way back. All that needs to be done is make the program group-executable, and maybe setuid to whatever account it needs to be able to access the dump device. There's almost always already a way to do it, I have found. Whatever "it" is. I believe in having as many accounts as necessary to run all the standard daemons, servers &c., under their own account, so as to decentralise privilege. Many services are setuid root in order to do some simple thing, whereas all they really need is to be setuid to a special account that owns whatever files need privileged access. Then people penetrating security in, say, fingerd (not topical any more,. but never mind) would then have obtained access to the account "finger", but not to root. Big deal. And remember -- all this can be done, without bending over backwards, with UNIX machinery that already exists. "Those who do not understand UNIX are condemned to re-invent it, poorly" -- Henry Spencer. ______________________________________________________________________________ Mike Taylor - {Christ,M{athemat,us}ic}ian ... Email to: mirk@uk.ac.warwick.cs Unkle Mirk sez: "You fritter and waste the hours in an offhand waistcoat."