Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!tut.cis.ohio-state.edu!mailrus!shadooby!accuvax.nwu.edu!tank!eecae!cps3xx!rang
From: rang@cpsin3.cps.msu.edu (Anton Rang)
Newsgroups: comp.unix.wizards
Subject: Re: Getting rid of the root account
Message-ID: <3327@cps3xx.UUCP>
Date: 6 Jun 89 23:06:08 GMT
References: <106326@sun.Eng.Sun.COM> <4315@ficc.uu.net> <16597@rpp386.Dallas.TX.US> <1961@ubu.warwick.UUCP> <16638@rpp386.Dallas.TX.US> <10370@smoke.BRL.MIL>
Sender: usenet@cps3xx.UUCP
Reply-To: rang@cpsin3.cps.msu.edu (Anton Rang)
Organization: Michigan State University, Computer Science Dept.
Lines: 35

In article <10370@smoke.BRL.MIL> gwyn@brl.arpa (Doug Gwyn) writes:
>In article <16638@rpp386.Dallas.TX.US> jfh@rpp386.cactus.org (John F. Haugh II) writes:
>>Monolithic privilege is simple, elegant and neither secure nor
>>trustable.  Any single flaw in the privilege scheme may be exploited
>>to obtain complete privilege.
>
>To the contrary, the kernel implementation of UID 0 being the ONLY
>privileged UID along with the set-UID implementation is small and
>simple enough to be completely validated.  [ stuff about layers ]
>  More
>elaborate kernel hooks make it harder to be sure there are no loopholes.

Why?  If you have a layered security system, every part of it must be
validated.  It's no easier than putting it in the kernel.  What's
more, if you have a single privilege, you have to ensure that EVERY
operation you do is provably secure.  I doubt this is doable with
existing validation mechanisms.

>It doesn't matter what a "flaw" would mean if you can PROVE there are
>no flaws.

This can be done (well, approximated) much more easily if you have a
large number of distinct privileges.  If a section of code is running
with, say, "GROUP" privilege (under VMS, this gives access to other
processes in the group, and allows access to group data structures),
you don't need to worry that a call to open a file will read a
protected file.  With monolithic privilege, any privileged code could
do this.
  I've done some (little) work on security validation.  It's not easy.
Monolithic privilege schemes don't help at all.

+---------------------------+------------------------+
| Anton Rang (grad student) | "VMS Forever!"         |
| Michigan State University | rang@cpswh.cps.msu.edu |
+---------------------------+------------------------+