Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!bellcore!texbell!sugar!ficc!peter
From: peter@ficc.uu.net (Peter da Silva)
Newsgroups: comp.unix.wizards
Subject: Re: Getting rid of the root account
Message-ID: <4491@ficc.uu.net>
Date: 10 Jun 89 14:15:22 GMT
References: <106326@sun.Eng.Sun.COM> <4315@ficc.uu.net> <16658@rpp386.Dallas.TX.US>
Organization: Xenix Support
Lines: 18

In article <16658@rpp386.Dallas.TX.US>, jfh@rpp386.Dallas.TX.US (John F. Haugh II) writes:
> Proving a kernel secure is not sufficient.  You must also prove that all
> of the programs executing with privilege are secure.  By creating more
> programs to manage privilege you are creating a larger task.

This is questionable.

I would much rather prove that the superuser is safe and then verify <N>
seperate programs than prove that <N> sets of routines in the kernel are
all secure. For one thing you can do it incrementally.

And you're still going to have a bunch of programs that will have to be
verified.
-- 
Peter da Silva, Xenix Support, Ferranti International Controls Corporation.

Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180.
Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.