becoming root via NFS

Istvan Mohos istvan at hhb.UUCP
Fri Dec 21 00:52:06 AEST 1990 

I've re-read "UNIX System Security" (by Wood and Kochan) recently
and jotted down a list of over 50 security risks, all the while
trying to banish the song "Fifty Ways To Leave Your Lover" recurring 
in my mind.  The recommended security procedures for avoiding the
risks on my list run the gamut, from the obvious and easily adhered-to,
to the ridiculous and unenforcible.

Although any one of the pitfalls described by Wood and Kochan will
deliver the system to an adversary, lock, stock and barrel, the sum
of the risks represented by the book, pales in comparison with the
"Anyone Can Be Root" model which links workstations to a central
server through NFS.  Even if you discount Tom Christiansen's
innovative "Real Programmers' Setuid" algorithm, allowing absolutely
everyone to "su" to all other users and in doing so access gigabytes
of data, is a kiss of death to security, an iceberg that will sink
the Titanic.

(Fume aside:
   Meanwhile, dear posters to sci.crypt - you all know who you are:
   with your psyche bonded to DES as surely as Citizen Kane's was to
   ROSEBUD, and disbelieving in a "life after DES" - you go on being
   impervious to that an intruder doesn't need to pick locks and crack
   passwords when the doors and windows to the system are already ajar.)

Becoming root on the NFS network is a highly overrated prize, only
interesting from a technical point, a "UNIX internals" achievement.
I suppose this explains the present thread in this newsgroup.  On
the other hand, at any firm with ongoing major software development,
the data distributed among the users embodies the true assets of the
company, and is more {valuable,sensitive,irreplaceable,vulnerable}
by far, than surrepetitious access or damage to kernel data structures.

So forget about trojans, viruses, worms, suids and passwords -
be pragmatic, assume the worst, and learn to live in a compromised
and hostile computing environment.  The two horns of the peril to
your software are vandalism and theft.  Although you can not prevent
vandalism, losses due to corruption can be minimized by backing up
*everything* (and forever accummulating your tapes in a fireproof,
floodproof, earthquakeproof, etc. vault, under lock and key :-)

To prevent theft, encrypt your data.  Crypt(1) will get broken, so
use other programs instead.  I would offer to post the source to my
"mix" scrambler, but friends on sci.crypt advise that exporting
encryption software out of the US is possibly illegal.  If true,
as outrageous and against our ideals of free speech as such a
restriction would be, I still wouldn't wish the bounty of my country's
ayatollahs on my head: I will e-mail "mix" only to your US address -
no retry on bouncing.

Here is a practical tip that may pay dividends: keep a *key library*
(both the source and the object) of your software entirely off-line,
and only load it, single-user mode, when you need to link with it.

-- 
        Istvan Mohos
        ...uunet!pyrdc!pyrnj!hhb!istvan
        1000 Wyckoff Ave. Mahwah NJ 07430 201-848-8000
======================================================

More information about the Comp.unix.internals mailing list