Getting rid of the root account

Mike Taylor maujf at warwick.ac.uk
Fri Jun 9 02:01:40 AEST 1989


[I suggested that the UNIX privilege mechanism is elegant and secure]
In article <3327 at cps3xx.UUCP> rang at cpsin3.cps.msu.edu (Anton Rang) writes:
> [Proof of OS security] can be done (well, approximated) much more
> easily if you have a large number of distinct privileges.  If a
> section of code is running with, say, "GROUP" privilege ...

I will never understand why people find it so difficult to accept that
UNIX allows this.  All the mechanisms are in place, the only thing
that is required is for sysadmins to take the time to configure their
systems in a way that takes adcantage of it.  That's what UNIX groups,
and group permissions on files, are all about!  Using the setuid
mechanism, it's quite simple to limit the extent of any user's or any
group's privileges.

> You don't need to worry that a call to open a file will read a
> protected file.  With monolithic privilege, any privileged code
> could	do this.

No, only if the system is carelessly set up.  Suppose we want to allow
a group of four or five people access to root privileges, but only for
one particular job.  Then we write a program to do this job, and chmod
it 4750, (-rwSr-x---), so that anyone in the right group can run it as
root, but no-one else can access it.  Then you put the users in the
relevant group, and there you are.  What's so difficult about it?

If you barf at the idea of allowing the root privileges at all, even
when only a single operation is possible, then you can always make the
resource that the file uses, (maybe an accouting file?) group-
writeable.  Of course, this is preferable when possible, but sometimes
can't be done, (maybe the resource already needs to belong to another
group, like /dev/kmem being group kmem)

But to re-iterate my point again: UNIX supplies a complete, elegant
and secure privilege mechnaism, and the fact that it has so many holes
in it *now* is only due to the insecure things people have done with
it.
______________________________________________________________________________
Mike Taylor - {Christ,M{athemat,us}ic}ian ...  Email to: mirk at uk.ac.warwick.cs



More information about the Comp.unix.wizards mailing list