Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!gatech!uflorida!haven!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn)
Newsgroups: comp.unix.wizards
Subject: Re: Getting rid of the root account
Message-ID: <10370@smoke.BRL.MIL>
Date: 6 Jun 89 15:08:25 GMT
References: <106326@sun.Eng.Sun.COM> <4315@ficc.uu.net> <16597@rpp386.Dallas.TX.US> <1961@ubu.warwick.UUCP> <16638@rpp386.Dallas.TX.US>
Reply-To: gwyn@brl.arpa (Doug Gwyn)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 17

In article <16638@rpp386.Dallas.TX.US> jfh@rpp386.cactus.org (John F. Haugh II) writes:
>Monolithic privilege is simple, elegant and neither secure nor
>trustable.  Any single flaw in the privilege scheme may be exploited
>to obtain complete privilege.

To the contrary, the kernel implementation of UID 0 being the ONLY
privileged UID along with the set-UID implementation is small and
simple enough to be completely validated.  That provides sufficient
kernel support for layered implementation of more elaborate security
schemes.  You need to distinguish between the typical hodge-podge of
user-mode privileged programs found on commercial UNIX systems and
the inherent security hooks.  The latter make possible implementation
of a provably secure, trustworthy multi-level security scheme.  More
elaborate kernel hooks make it harder to be sure there are no loopholes.

It doesn't matter what a "flaw" would mean if you can PROVE there are
no flaws.