Re: Referring bug #166718 and the initial groups issue to the TC

[Wichert Akkerman <wichert@wiggy.net>]

Previously Manoj Srivastava wrote:
> 	Traditionally, UNIX has not been in the practice of
>  automatically adding users to groups, and I think we need to be
>  careful if we decide to break from universal practice.

A problem is that is simply isn't possible to do it securely currently,
which is why unices have not done this. The standard attacks are
creatin of sgid shells as mentioned and starting a long-running process
that keeps an open filehandle on a device long after a user has logged
out and another logged in. 

The possible solutions have all been discussed years ago and at that
point we decided to wait until the kernel got a revoke systemcall which
closes all open filehandles on a file. Using that one can chown a device
to the currently logged in user, and chown it back and revoke all open
filehandles on logout.

If we need to choose between chown and group member my vote would be for
chown, for two reasons:

* it is slightly more secure since it does not create the option for the
  users to create sgid executables
* while this does not allow multiple users on a physical machine (it
  breaks if another user logs in on another virtual console) I doubt
  this is a problem for standard machine usage

It is slightly more fragile than group membership though:

* it breaks if a user logs in one two consoles and then logs out on
  one of them since that will generally leave him without access to
  the device
* if the machine crashses, looses power or otherwise shuts down the
  devices will be left with the wrong owner. This can be fixed in a
  boot-time script of course.

Wichert.

-- 
Wichert Akkerman <wichert@wiggy.net>    It is simple to make things.
http://www.wiggy.net/                   It is hard to make things simple.