Complex security mechanism is unsecure
John F Haugh II
jfh at rpp386.cactus.org
Fri Dec 14 00:59:57 AEST 1990
In article <6886 at titcce.cc.titech.ac.jp> mohta at necom830.cc.titech.ac.jp (Masataka Ohta) writes:
>>you should =always= execute with the
>>least amount of privilege required to perform the task at hand.
>
>"=always="? No, "unless the security mechanism become complex" is
>the condition.
No, there are no exceptions - the correct response is "always".
In the case of complex security mechanisms the correct response
is "and particularly in the case of complex security mechanisms".
The glossary of the friendly neighborhood Orange Book says ...
"Least Privilege: This principle requires each subject
[program -ed] in a system be granted the most restrictive
set of privileges (or lowest clearance) needed for the
performance of authorized tasks. The application of this
principle limits the damage that can result from accident,
error, or unauthorized use."
>But, the relationships of management related files are already very
>complex. So, don't bring extra complexity such as a non-root setuid
>program.
Unless there is a requirement for root permissions, adding root
permissions is an unneeded complexity. It requires that =every=
system call which behaves differently from non-root to root users
be analyzed for unexpected behavior.
There should be no difference in the precautions taken when you
are writing a set-UID "uucp" program as when writing a set-UID
"root" one. If you adhere to this you will have a program which
=cannot= be less secure simply because any incorrect or unauthorized
action performed while UID "uucp" could also be performed while
UID "root" with the "root" executed functions succeeding while the
"uucp" ones would fail.
--
John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 Domain: jfh at rpp386.cactus.org
More information about the Comp.unix.internals
mailing list