Getting rid of the root account (Was: GNU OS)

Mike Taylor mirk at warwick.UUCP
Sat Jun 3 04:43:09 AEST 1989 

In article <3, I think> jfh at rpp386.cactus.org (John F. Haugh II) writes:
> I think [a previous poster] meant getting rid of UID == 0 being a
> privileged user.  Again, this an Orange Book requirement.  It also
> makes much sense.  Programs should have privilege, not users.  The
> ability to access a program can then be limited to a collection of
> users or groups.

Uuuh, are you sure?  There seems to be a prevailing feeling that the
whole of UNIX is something that was cobbled together ar random by
people writing bits without thinking about whether or not they were
secure, made sense or whatever.  While this is largely true of
Berkeley UNIX, or at least, of those bits that have been added since
V7, the concept of a root id belongs to fundamental core UNIX, it is
one of the concepts that Thompson, Richie and friends though long and
hard about when they were designing UNIX.

Granted, at that time, it was never intended primarily to be a
*secure* system, but it was *very* carefully designed, nothing was in
that hadn't been thought through, and root is no exception.  Like
GOTO, I maintain that the problem with root is not that it is a flawed
copncept, but that is is misused, overused, and general ABused by
people who should know better.

The UNIX way of handling privilege IS fundamentally secure, and it's
pretty elegant to boot.  You have exactly one privileged user, and one
way of inheriting that privilege -- the setuid mechanism.  The fact
that many UNIX installations are insecure is due to the mess that
people have buult on top of that idea, not on the idea itself.  Most
UNIXes have many things setuid to root which really dont need to be.

For example ...

> Or use /etc/group to allow some group of users to newgrp to an
> administrative account.  The group ``dumpers'' might exist for persons
> taking file system dumps.  All of the dumpable devices would then have
> file group ``dumpers''.  Root wouldn't have to be used for dumps any
> longer.

You can already do this -- the mechanisms are in place and have been
since way way back.  All that needs to be done is make the program
group-executable, and maybe setuid to whatever account it needs to be
able to access the dump device.  There's almost always already a way
to do it, I have found.  Whatever "it" is.

I believe in having as many accounts as necessary to run all the
standard daemons, servers &c., under their own account, so as to
decentralise privilege.  Many services are setuid root in order to do
some simple thing, whereas all they really need is to be setuid to a
special account that owns whatever files need privileged access.  Then
people penetrating security in, say, fingerd (not topical any more,.
but never mind) would then have obtained access to the account
"finger", but not to root.  Big deal.  And remember -- all this can be
done, without bending over backwards, with UNIX machinery that already
exists.

	"Those who do not understand UNIX are condemned
	 to re-invent it, poorly" -- Henry Spencer.
______________________________________________________________________________
Mike Taylor - {Christ,M{athemat,us}ic}ian ...  Email to: mirk at uk.ac.warwick.cs
Unkle Mirk sez: "You fritter and waste the hours in an offhand waistcoat."

More information about the Comp.unix.wizards mailing list