Path: utzoo!attcan!uunet!mcvax!ukc!warwick!maujf From: maujf@warwick.ac.uk (Mike Taylor) Newsgroups: comp.unix.wizards Subject: Re: Getting rid of the root account Summary: UNIX *does* support "layered security" Keywords: Guinness, phlegm, mackerel, intestines Message-ID: <127@orchid.warwick.ac.uk> Date: 8 Jun 89 16:01:40 GMT References: <106326@sun.Eng.Sun.COM> <4315@ficc.uu.net> <16597@rpp386.Dallas.TX.US> <1961@ubu.warwick.UUCP> <16638@rpp386.Dallas.TX.US> <10370@smoke.BRL.MIL> <3327@cps3xx.UUCP> Reply-To: mirk@uk.ac.warwick.cs (Mike Taylor) Organization: Computing Services, Warwick University, UK Lines: 38 [I suggested that the UNIX privilege mechanism is elegant and secure] In article <3327@cps3xx.UUCP> rang@cpsin3.cps.msu.edu (Anton Rang) writes: > [Proof of OS security] can be done (well, approximated) much more > easily if you have a large number of distinct privileges. If a > section of code is running with, say, "GROUP" privilege ... I will never understand why people find it so difficult to accept that UNIX allows this. All the mechanisms are in place, the only thing that is required is for sysadmins to take the time to configure their systems in a way that takes adcantage of it. That's what UNIX groups, and group permissions on files, are all about! Using the setuid mechanism, it's quite simple to limit the extent of any user's or any group's privileges. > You don't need to worry that a call to open a file will read a > protected file. With monolithic privilege, any privileged code > could do this. No, only if the system is carelessly set up. Suppose we want to allow a group of four or five people access to root privileges, but only for one particular job. Then we write a program to do this job, and chmod it 4750, (-rwSr-x---), so that anyone in the right group can run it as root, but no-one else can access it. Then you put the users in the relevant group, and there you are. What's so difficult about it? If you barf at the idea of allowing the root privileges at all, even when only a single operation is possible, then you can always make the resource that the file uses, (maybe an accouting file?) group- writeable. Of course, this is preferable when possible, but sometimes can't be done, (maybe the resource already needs to belong to another group, like /dev/kmem being group kmem) But to re-iterate my point again: UNIX supplies a complete, elegant and secure privilege mechnaism, and the fact that it has so many holes in it *now* is only due to the insecure things people have done with it. ______________________________________________________________________________ Mike Taylor - {Christ,M{athemat,us}ic}ian ... Email to: mirk@uk.ac.warwick.cs