[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root is God? (was: Mutt & tmp files)

On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote:

> No, you can't. No matter how you cut it, root can install a new
> kernel, sans LIDS and write to his/her home dir.

how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo
binary? DENY. how do you wanna replace system binaries when LIDS is
activated and the memory and any critical file/dir is protected?

you can't shutdown or reboot the host, whithout proper auth.

> Nothing can protect the kernel from root if root can replace the
> kernel. 

you can't do this in LIDS in a properly setup of LIDS.

> Sure you may have /boot mounted read-only, but that is a
> simple remount, 

no, it's not. it's not mounted, it's DENIed by the kernel. every access
on this directory is blocked by the kernel. before anything further
happen's.

remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS,
you can't mount or umount anything. even as root. everything is blocked.

> or boot into single user mode, 

how? you can't change runlevels. once sealed, it will remain until next
reboot, when it get's sealed in single user mode.

> or put the kernel somewhere else, 

where? in a protected filesystem? in /tmp? how do you tell the loader to
access this file? it's all blocked.

> or physically put in a different harddrive. $

when i'm sitting in honolulu and having a drink?

when there's no physical security, there's no security at all.

use crypo filesystems to secure storage.

> There is no way, nor any reason why, to setup a system in such a way
> that the maintainer of the system cannot maintain it. 

maintainer is someone else. root is there for serving the daemons.
administrating the machine is the next security level and this time in
the kernel (to deactivate it). the interface is clean.

> You cannot completely lock out root, 

no, you can't. but you can protect your system from root.

> for if you do, it is no longer root.

of course it's root. who else should it be? but he can't no longer
access all the interfaces with full rights. a properly configured LIDS
is secure from root abuse.

> Can root physically access the machine? If not, then there is someone
> else who would be root.

i don't care. i can seal LIDS that you can only administrate your
machine from the console. it doesn't work any longer over remote links.

> Thats like saying root doesn't have the root password. It doesn't
> matter, root can change the root password.

this is a new way of thinking. root is there for serving purposes. with
LIDS, you're sealing the kernel to not accept potentially malicious
input from root.
Reply to: