Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!ulowell!arosen@hawk.ulowell.edu
From: arosen@hawk.ulowell.edu (MFHorn)
Newsgroups: comp.unix.wizards
Subject: Re: Re:Getting rid of the root account (Was: GNU OS)
Message-ID: <13600@swan.ulowell.edu>
Date: 7 Jun 89 18:46:06 GMT
References: <1177@shell.shell.com>
Sender: news@swan.ulowell.edu
Lines: 33

From article <1177@shell.shell.com>, by dinah@shell.UUCP (Dinah Anderson):
> In article <3, I think> jfh@rpp386.cactus.org (John F. Haugh II) writes:
>> I think [a previous poster] meant getting rid of UID == 0 being a
>> privileged user.

That may have been me, or I'm one of those that agree.

> the real issue
> is the users running the programs, not the programs themselves. We need
> to know who is running what programs (for accountability in extreme
> sensitive cases.)  

Exactly.  One of the most important parts of my privileges design is the
ability to log the use of any/all privileges.  The message would include
the privilege used, who used it, and the object(s) acted upon (file,
process, etc.).  [And unlike VMS, you won't be able to turn accounting
off without tripping an alarm.]

By having multiple privileges, you can more easily monitor who is doing
what.  It's also [almost] trivial to detect a breakin; you know who did
something, what they did, and when and how they did it.

Another thing that makes my privilege scheme better than VMS' (IMHO) is it's
simple, and documented.  I have not met a VMS guru who can say exactly what
a user can do with a particular privilege, or (especially) a combination of
privileges.  Also, no one can say what privileges are needed to perform a
particular task.

--
Andy Rosen           | arosen@hawk.ulowell.edu | "I got this guitar and I
ULowell, Box #3031   | ulowell!arosen          |  learned how to make it
Lowell, Ma 01854     |                         |  talk" -Thunder Road
		RD in '88 - The way it should've been