Getting rid of the root account

John F. Haugh II jfh at rpp386.Dallas.TX.US
Sat Jun 10 11:49:11 AEST 1989 

In article <1989Jun8.210946.26746 at eci386.uucp> jmm at eci386.UUCP (John Macdonald) writes:
>1. get rid of all root logins from the normal /etc/passwd

Now that's a good start :-)

>2. get rid of all suid-root programs that have not been fully verified

Yes, you must do this as well.  /bin/mkdir will always be a member of
my bag of tricks.

>3. create suid-<category> programs to manage privelged activities for
>    each different <category> you need.  You may need to write (and prove
>    correct) a suid-root permission management program for complicated
>    cases.

This is not adequate.  There are many operations under UNIX which only
root can perform.  The idea behind making 0 a non-special UID is that
than you must have some other object with a finer granularity in order
to perform the operation.

Certainly you could have every utility check it's invoker to verify
permission - but what do you do when a bug such as /bin/mkdir crops up
and demonstrates how little security stock UNIX has designed into it?

>This setup allows the kernel to be proved since there is not a huge amount
>of requirement - it must not give out root permission gratitously, it must
>implement suid correctly.  It allows any site to configure its own security
>requirements without having to make any change to the kernel.  It allows the
>typical system be sold as reasonably secure without the high expense of proof
>which satisfies needs of most systems[1].

Proving a kernel secure is not sufficient.  You must also prove that all
of the programs executing with privilege are secure.  By creating more
programs to manage privilege you are creating a larger task.  Assurance
goes straight out the window since any one flaw in the program affects
all of the privileges the program posseses, and that is every privilege.

>It puts the cost of proving or validating any additional security needs on
>those people who require and implement those needs.  This does not preclude
>providing some programs which do some of these tasks either with the system,
>or in any other fashion (comp.unix.sources); but people who *require*
>security will have to validate such programs anyhow.

... Which is the consumer.  Provably secure systems will not be running
the latest version of nethack or smail.
-- 
John F. Haugh II                        +-Button of the Week Club:-------------
VoiceNet: (512) 832-8832   Data: -8835  | "AIX is a three letter word,
InterNet: jfh at rpp386.Cactus.Org         |  and it's BLUE."
UucpNet : <backbone>!bigtex!rpp386!jfh  +--------------------------------------

More information about the Comp.unix.wizards mailing list