Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!cs.utexas.edu!uunet!mcvax!ukc!warwick!maujf
From: maujf@warwick.ac.uk (Mike Taylor)
Newsgroups: comp.unix.wizards
Subject: Re: Getting rid of the root account
Message-ID: <143@orchid.warwick.ac.uk>
Date: 12 Jun 89 00:44:43 GMT
References: <127@orchid.warwick.ac.uk> <16659@rpp386.Dallas.TX.US>
Reply-To: mirk@uk.ac.warwick.cs (Mike Taylor)
Organization: Computing Services, Warwick University, UK
Lines: 16

In article <16659@rpp386> jfh@rpp386.cactus.org (John F. Haugh II) writes:
> Consider for a moment a `mount' program which only group `oper' may
> execute.  You must make the mode 4010 with user 'root' and group
> 'oper'.  And you must prove that EVERY operation performed by `mount'
> conforms to the security system you've implemented.

Not at all -- It is quite possible to have a setuid root binary that
immediately throws away its privilege when run, reverting to the
effective uid of its invoker, and which restores its root-ness only
for the "critical region" in which it is doing those dark and secret
things that only root can do.  Then the critical section alone need be
verified, and security holes in the rest of the program do not cause
the security of the root account to be compromised.
______________________________________________________________________________
Mike Taylor - {Christ,M{athemat,us}ic}ian ...  Email to: mirk@uk.ac.warwick.cs
"Quick!  Back into the fish!" - Eric Idle (Burthold in "Baron Munchhausen")