Getting rid of the root account
Mike Taylor
maujf at warwick.ac.uk
Mon Jun 12 10:44:43 AEST 1989
In article <16659 at rpp386> jfh at rpp386.cactus.org (John F. Haugh II) writes:
> Consider for a moment a `mount' program which only group `oper' may
> execute. You must make the mode 4010 with user 'root' and group
> 'oper'. And you must prove that EVERY operation performed by `mount'
> conforms to the security system you've implemented.
Not at all -- It is quite possible to have a setuid root binary that
immediately throws away its privilege when run, reverting to the
effective uid of its invoker, and which restores its root-ness only
for the "critical region" in which it is doing those dark and secret
things that only root can do. Then the critical section alone need be
verified, and security holes in the rest of the program do not cause
the security of the root account to be compromised.
______________________________________________________________________________
Mike Taylor - {Christ,M{athemat,us}ic}ian ... Email to: mirk at uk.ac.warwick.cs
"Quick! Back into the fish!" - Eric Idle (Burthold in "Baron Munchhausen")
More information about the Comp.unix.wizards
mailing list