-x implementations

John F Haugh II jfh at rpp386.cactus.org
Mon Mar 18 23:08:31 AEST 1991 

In article <TH0A5Y8 at xds13.ferranti.com> peter at ficc.ferranti.com (Peter da Silva) writes:
>Maybe, maybe not, but at least I'm paying attention. John, "auth" is a
>*group*. Not a user. Anyone in group "auth" is effectively root. Sean
>has admitted as much.

It was a generic statement, Peter.  Just because you have access does
not mean twiddling some bit works.  And yes, in this specific case,
giving someone access to the user files by putting them in the group
which is permitted to modify user accounts would seem to let them
modify user accounts, no?  There are a number of BSD programs which
act differently for group "wheel" than "staff" or whatever - and yes,
you could probably even go from group "wheel" to UID 0 with a minimum
of effort - but the solution is very, very, simple.  Don't give the
privileges away in the first place.

Back to SCO UNIX, judging from the complaints regarding the obscurity
of the SCO/SecureWare features, it appears that one collection of
C2 criteria which were violated with this system are the ones
involving system documentation.  If, for example, "auth" is some giant
hole that shouldn't be opened up except by the criminally insane, the
"Trusted Facility Manual" should point out the risks associated with
group "auth" in a secure environment, and the test documentation should
outline how SCO and SecureWare tested the system to locate these
deficiencies or verify that the security policy was correctly
implemented.  With a real C2 system we wouldn't be having this
discussion (unless the testing didn't catch some exceptional conditions)
since it would have been laid out in black and white in the documents
the system came with.  It's kind of like the difference between Brand-X
re-runs and Nick-At-Nite brand re-runs ...
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"I've never written a device driver, but I have written a device driver manual"
                -- Robert Hartman, IDE Corp.

More information about the Alt.sources.d mailing list