Getting rid of the root account
Peter da Silva
peter at ficc.uu.net
Thu Jun 15 06:25:30 AEST 1989
In article <16662 at rpp386.Dallas.TX.US>, jfh at rpp386.Dallas.TX.US (John F.
Haugh II) writes a whole bunch of stuff about trusted computing bases (which
he abbreviates throughout as TCB without explaining this abbreviation)...
> Your assumption is that you will be able to obtain, through some
> machinations an arbitrary privilege. A system with this as a flaw is
> open to more direct attacks than having bogus file systems mounted.
Actually that's a pretty direct attack. But, yes, I'm assuming that you will
be able to obtain, though some machinatins, any arbitrary privilege. I have
read somewhat about the subject, and I find it hard to credit that a
useful system could be built that will satisfy all the requirements of
a TCB.
Security and convenience are diametrically opposed goals.
In any real system that's open enough to get any actual work done, there
will be holes. No matter how many people work though the code in an attempt
to verify it... an operating system is far more complicated than any
mathematical proof, for example, and look at the work necessary to validate
one of those.
So all you get for your effort is a warm fuzzy feeling that your system
is secure. If you really want security, lock the terminal and computer up
in a faraday cage, and don't let anything in or out except well filtered
line current.
Dropping back a few notches to UNIX, now, let's consider a real system. One
that's sitting in a computer room with maybe a locked door keeping people
from sliding in a boot tape and hitting restart. Minimal physical security.
That's about the closest thing to a secure system 99% of the people need.
Now, what advantage would ripping root into a dozen seperate capabilities
(yet with complex interactions that have to be checked) give a system like
that?
> You assume a trusted system is going to trust any data being imported?
I assume a real system outside the DoD is going to allow people to do real
work. And, frankly, I don't care what a system inside the DoD allows.
> The objections Peter has raised display
> a severe lack of understanding about the current state of the art in
> trusted systems designs.
We're not talking about DoD-certified paranoid systems in Falls Church, we're
talking about the typical UNIX system: a departmental or single-user computer
doing software development, accounting, engineering, etc...
--
Peter da Silva, Xenix Support, Ferranti International Controls Corporation.
Business: uunet.uu.net!ficc!peter, peter at ficc.uu.net, +1 713 274 5180.
Personal: ...!texbell!sugar!peter, peter at sugar.hackercorp.com.
More information about the Comp.unix.wizards
mailing list