C2 secure systems and the superuser
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Thu Mar 14 10:07:03 AEST 1991
In article <1991Mar13.185609.21132 at convex.com> tchrist at convex.COM (Tom Christiansen) writes:
> From the keyboard of jfh at rpp386.cactus.org (John F Haugh II):
> :In article <1991Mar13.042033.12450 at convex.com> tchrist at convex.COM (Tom Christiansen) writes:
> :>I maintain that both "auth" and "sysadmin" give you indirect
> :>root privileges.
Undoubtedly you would stop complaining if ``auth'' were named
``root-auth'' and ``sysadmin'' were named ``root-sysadmin''.
> :Perhaps "sysadmin" also lets you crash
> :the machine by unmounting critical volumes or over-mounting
> :others. A quick look at the audit logs will reveal what
> :happened.
> Audit logs can be altered once you are powerful enough. And
> it's important to stop it from happening in the first place.
The situation is no worse than the situation where ``sysadmin'' equals
``root'' to begin with.
The way UNIX is typically used, you have about three levels of users:
root, independent ``system'' uids and gids, and normal users. If you
have an operation that uses root privileges but you can downgrade it to
a system uid or gid, you make it at least nominally more difficult to
break root, and you reduce the chance that a bug in one program will
bring down the entire system.
Yes, people have to be just as careful with the system uids as with
root. So what? It's no worse than the previous situation, where you'd
need to be root for everything.
I think it would be better for all the system uids to fall within a
special namespace or uid-space. That way it would be hard not to notice
that you're dealing with a system uid. But the concept of having more
structure than ``root'' and ``everyone else'' is inherently sound in any
case.
---Dan
More information about the Alt.sources.d
mailing list