Path: utzoo!attcan!uunet!mcvax!ukc!warwick!maujf
From: maujf@warwick.ac.uk (Mike Taylor)
Newsgroups: comp.unix.wizards
Subject: Re: Getting rid of the root account
Message-ID: <132@orchid.warwick.ac.uk>
Date: 9 Jun 89 11:28:30 GMT
References: <10370@smoke.BRL.MIL> <16650@rpp386.Dallas.TX.US>
Reply-To: maujf@warwick.ac.uk (Mike Taylor)
Organization: Computing Services, Warwick University, UK
Lines: 22

In article <16650@rpp386> jfh@rpp386.cactus.org (John F. Haugh II) writes:
> In article <10370@smoke.BRL.MIL> gwyn@brl.arpa (Doug Gwyn) writes:
>> The kernel implementation of UID 0 being the ONLY privileged UID along
>> with the set-UID implementation is small and simple enough to be
>> completely validated.
> Agreed.  You may trivially verify that the suser() function performs
> the desired result.  This is not news.  Now go verify that the
> utilities which execute with root privilege perform their intended
> function.

You keep saying this.  The point is, _it's_not_the_kernel's_fault!_
Just because a lot of people have written insecure utilities and
persuaded other people to  make them setuid root, doesn't make the
fundamental system insecure -- it just makes the people stupid, and
that really _isn't_ news! :-)

If UNIX had been written with "layered privileges" in the kernel,
(instead of the system we have whereby you can build them using groups
and the suid mechanism), then its security would still be the mess it
is today, just because that is what people are like.
______________________________________________________________________________
Mike Taylor - {Christ,M{athemat,us}ic}ian ...  Email to: mirk@uk.ac.warwick.cs