Re: tcb for debian?
On Mon, 27 Jan 2003 09:40, Alexander Reelsen wrote:
> Quick description (from the manpage)
> With the traditional password shadowing scheme, password hashes and
> password aging information of all users is stored in one file,
> /etc/shadow. Therefore, if a process requires access to information on a
> single user, it is forced to possess privileges which are
> sufficient to access data on all users. This is a design flaw, which is
> most clearly visible in the case of passwd(1) utility. Let's assume
[...]
> The solution is straightforward - each user is assigned its own,
> separate shadow-style file. User U's shadow file is owned by U, so
> passwd(1) invoked by U does not require superuser privileges.
This only helps if you have a Mandatory Access Control system such as SE Linux
installed and operating correctly.
With a typical Linux setup you can exploit programs such as BIND, dhcpd, an
FTP daemon, Sendmail, or sshd for full access to the system. All these
programs have a much worse history regarding security than passwd(1).
Remember, any program that authenticates users (every program that is
conceptually equivalent to "login") has to be able to read everyone's shadow
entries, and that means that if one of those programs is exploited an
attacker can use crack to try and find passwords.
> It is very unlikely that such a small package which is not used that much,
> will get into debian if the glibc has to be patched, right?
> The glibc patch of the crypt_blowfish package is not even 2kb "big". (3
> lines added, however some files have to be copied additionally and the
> patch is for glibc 2.1.3)
You may be surprised. If we can significantly increase the security of a
system by patching glibc then I expect that the libc6 maintainers would be
willing to consider it.
However I believe that until SE Linux, RSBAC, and GRSEC get wider use in
Debian there is no point in even talking about getting such a change into
Debian. Currently people who want this can always have their own patched
libc6, and people who are interested in maintaining it can run their own
private apt repository for it.
I think that this "tcb" project offers nothing of benefit if you use standard
Unix permissions (IE you have a standard Linux kernel without any security
patches).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: