Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!sun-barr!cs.utexas.edu!execu!sequoia!rpp386!jfh
From: jfh@rpp386.Dallas.TX.US (John F. Haugh II)
Newsgroups: comp.unix.wizards
Subject: Re: Getting rid of the root account
Message-ID: <16659@rpp386.Dallas.TX.US>
Date: 10 Jun 89 02:02:42 GMT
References: <127@orchid.warwick.ac.uk>
Reply-To: jfh@rpp386.cactus.org (John F. Haugh II)
Organization: River Parishes Programming, Plano TX
Lines: 47

In article <127@orchid.warwick.ac.uk> mirk@uk.ac.warwick.cs (Mike Taylor) writes:
>But to re-iterate my point again: UNIX supplies a complete, elegant
>and secure privilege mechnaism, and the fact that it has so many holes
>in it *now* is only due to the insecure things people have done with
>it.

Your plan requires at a minimum concurrent group sets, and then STILL
requires being SUID root if it performs any of the tasks which only
root may perform.

Consider for a moment a `mount' program which only group `oper'
may execute.  Group 'oper' is not special - you must still be
UID 0 in order to mount a filesystem [ System V least wise ].  So
you must make the modes 4010 with user 'root' and group 'oper'.
And you must prove that EVERY operation performed by `mount'
conforms to the security system you've implemented.

The alternative is to grant the mount program `MOUNT' privilege
_and_ use permission bits.  Make the program mode 010, group
oper, and have code similiar to

	add_privilege (MOUNT);
	mount (device, directory);
	drop_privilege (MOUNT);

buried in there.  Now you must only show that the privilege
MOUNT can not be abused by other calls - and it can't because
the privilege only exists during the mount() system call.  You
may make you job much easier by coding

	main (...)
	{
		drop_privilege (ALL);

as the very first step.  Your proof now consists of the
statement `There is no privilege to abuse, except here ...'

This is why least privilege and privilege bracketing is such
a hot idea.  What are you going to trust, a program running
with root privilege 100 percent of the time, or a program
running demonstrably with no privilege 99 percent of the time
and only a single privilege the remaining 1 percent?
-- 
John F. Haugh II                        +-Button of the Week Club:-------------
VoiceNet: (512) 832-8832   Data: -8835  | "AIX is a three letter word,
InterNet: jfh@rpp386.Cactus.Org         |  and it's BLUE."
UucpNet : <backbone>!bigtex!rpp386!jfh  +--------------------------------------