Getting rid of the root account

Doug Gwyn gwyn at smoke.BRL.MIL
Wed Jun 7 01:08:25 AEST 1989


In article <16638 at rpp386.Dallas.TX.US> jfh at rpp386.cactus.org (John F. Haugh II) writes:
>Monolithic privilege is simple, elegant and neither secure nor
>trustable.  Any single flaw in the privilege scheme may be exploited
>to obtain complete privilege.

To the contrary, the kernel implementation of UID 0 being the ONLY
privileged UID along with the set-UID implementation is small and
simple enough to be completely validated.  That provides sufficient
kernel support for layered implementation of more elaborate security
schemes.  You need to distinguish between the typical hodge-podge of
user-mode privileged programs found on commercial UNIX systems and
the inherent security hooks.  The latter make possible implementation
of a provably secure, trustworthy multi-level security scheme.  More
elaborate kernel hooks make it harder to be sure there are no loopholes.

It doesn't matter what a "flaw" would mean if you can PROVE there are
no flaws.



More information about the Comp.unix.wizards mailing list