interesting feature on AMIX..

[Frank McPherson]

In article <1991Jun24.005213.944 at convex.com> swarren at convex.com (Steve Warren) writes:
>On a machine in which you do not have super-user permission you would not be
>able to chmod any files to setuid-root.  However, on your own personal
>property machine you would of course be the super-user.  You could create
>setuid-root files to your heart's content.  What is at issue here is the
>concern that you could transfer this file to another system without your
>permission to do so being questioned.  The new system, believing that only the
>super-user has permission to *create* such files, would not hesitate to
>perform the setuid-root operation when any file with the setuid-root mode was
>executed.

Good point.  I hadn't completely considered the issue, and didn't completely
understand the implications.  Thanks for pointing them out and taking the
time to explain them.  


>The idea of security is that the OS must be able to supervise the permissions
>of all files introduced by non-root users.  This means that any scheme
>allowing non-root users to mount filesystems must include a bullet-proof way
>of verifying the permissions of all files on the new filesystem.

That's something I don't believe the current system does.  I can't check
right at the moment, because I'm at work, but I certainly will when I 
get home.  Fsck is automatically performed on each floppy file system before
it is mounted, but I don't think any checking of the permissions is done.


>Once they are verified there must also be a check to make certain that the
>user does not mount a filesystem and then swap disks with an identical
>filesystem, but different permissions on the identical files.  
>At that
>point the user-mounted filesystem should be unmounted, because once the floppy
>is removed from the system there is no guarantee that the disk will be
>returned unmodified.

Another good point.  I know AmigaDOS checks for diskchange, but does 
Amiga Unix?  Is recognizing diskchange part of the hardware of the Amiga,
or is it the software?  I'm kind of confused about that, since under 
AmigaDOS the drives click, but the clicking may be turned off with several
of public domain programs.  AmigaUNIX doesn't seem to notice if I take a 
disk out of the drive, except perhaps when it tries to synch it.  People
often will forget to unmount floppies before they leave, which is an ugly
problem.  

>
>How about writing a daemon that runs quietly and secretly copies every floppy
>that students mount, to the harddrive?  I think that this represents an
>overwhelming reason to want root access to a small portion of students at any
>university.  That is one reason why those protections are there.

Normally, it isn't possible for the student to store things on the hard
drives of the machines in question.  The home directory of the guest account
is cleared out by the default system login.  However, it is easily possible
to save files elsewhere on the file system so that they don't get deleted
when someone else logs in.  The only reason someone would have to make 
copies of files would be to copy their work; this is indeed a problem.  It
would be nice if people didn't do things like that, but sometimes they do.


-- Frank McPherson		INTERNET: emcphers at manu.cs.vt.edu --