Complex security mechanism is unsecure
Masataka Ohta
mohta at necom830.cc.titech.ac.jp
Mon Dec 17 01:09:12 AEST 1990
In article <4645 at pkmab.se> ske at pkmab.se (Kristoffer Eriksson) writes:
>What security mechanism are you talking about? What is more complicated?
>I don't see how it is significantly easier to protect the root account alone.
Then, for example, think about a case where NFS mounted file system
is exported with root access converted to nobody (but, uucp to uucp,
daemon to daemon). Then, list what system administrators should take care.
>I don't find it that complex.
Do you still think so?
>Really, I think that the addition of more
>than one ring of security by using other uids than only root is very
>valuable and costs next to nothing in extra complexity.
And you can have seven levels of security like Multics without
extra complexity.
>My judgement is that root would
>become more vulnerable to simple mistakes, rather than less.
My point is that root become more vulnerable if it trust uucp, daemon
and others.
>>"uucp" has large capability over files owned by "uucp" and referenced by
>>"root". That is the reality.
>When does root need to reference uucp files?
It is not necessary, but on my 4.2BSD base system,
% ls -l /usr/bin | grep uucp
-rws--x--x 2 uucp 86016 May 19 1989 cu
---s--s--x 2 uucp 53248 Apr 7 1988 ruusend
-rws--x--x 2 uucp 86016 May 19 1989 tip
---s--s--x 1 uucp 61440 Apr 7 1988 uucp
-rwxr-xr-x 1 uucp 49152 Apr 7 1988 uudecode
---s--s--x 1 uucp 24576 Apr 7 1988 uulog
---s--s--x 1 uucp 20480 Apr 7 1988 uuname
---s--s--x 1 uucp 24576 Apr 7 1988 uupoll
---s--s--x 2 uucp 53248 Apr 7 1988 uusend
---s--s--x 1 uucp 20480 Apr 7 1988 uusnap
---s--s--x 1 uucp 65536 Apr 7 1988 uux
Moreover, if I remember correctly, in 4.2BSD, /etc/syslog was owned
by daemon, which will be executed by root at boot time from /etc/rc.local.
At least, on SunOS 3.5, /usr/etc/in.syslogd is owned by daemon and
executed by root.
Masataka Ohta
More information about the Comp.unix.internals
mailing list