Hi, On Mon, Aug 11, 2003 at 01:31:21PM -0400, Matt Zimmerman wrote: > On Mon, Aug 11, 2003 at 06:19:19PM +0200, Emile van Bergen wrote: > > Frankly, it makes no difference if it is fundamentally impossible or not, > because we must deal with real code in the real world, not theory. The > reality is that it is not at all straightforward, and a great majority of > the time, mistakes are made. The Unix security model means that these > mistakes are catastrophic, and often result in compromise of the entire > system. > > Not only do we continue to see the same kinds of bugs appearing both in new > programs and old programs, but we are still discovering new vectors to > attack common code (such as the C library), which can affect a huge number > of programs all at once. > > > A lot of computer security relies on controlled entry points that elevates > > privileges. Look at most CPU architectures. Setuid is just Unix' > > implementation of the concept. > > How many attack vectors can you think of for a CPU's supervisor mode? How > about a setuid program on a Unix system? See the difference? The difference is small, therefore such setuid root wrappers must be treated with the same level of caution as CPU microcode. It must function correctly, otherwise all is lost. The fact that Unix' design means that root fundamentally builds the system and allows to do anything, is useful. That system builders execute gobs of code as root is of the same caliber of stupidity as Win98 not providing any process separation. But fundamentally, there is no alternative. A new model means that you still need some 'monitor' code that you can trust. Under unix, that's not just the kernel code but potentially any code that runs as root. Other OSes may restrict that to the kernel, but the problem remains the same if people become just as careless with what they put there. I'm glad that Unix doesn't put all trusted stuff in the kernel, but allows you to implement low level security policies in userspace, by providing low level tools such as the call gate (setuid binaries). It fits the unix model very well. The OS components are the processes. The OS is built in userspace. The admin builds the OS, not the vendor. That's what unix is all about, that's what makes it so versatile. And powerful. And dangerous. It'd be lovely if we could take that even further, allowing userspace to populate the namespace and route IRQs to select(). Looking at linux, we're slowly getting there. The point is, 'root' is probably more fundamentally dangerous than most people are inclined to think. It's not really the admin, it's the system creator's account. Cheers, Emile. -- E-Advies - Emile van Bergen emile@e-advies.nl tel. +31 (0)70 3906153 http://www.e-advies.nl
Attachment:
pgpWAZjPpxV2Z.pgp
Description: PGP signature