[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Root privilege (SOLVED)

On Thu, Jan 11, 2007 at 03:06:33AM EST, Andrei Popescu wrote:
> On Wed, 10 Jan 2007 17:52:18 -0500
> cga2000 <cga2000@optonline.net> wrote:
> > Mind you, and this is not directly related to the above, I sometimes
> > have this bizarre feeling that much of this awkwardness we have to
> > deal with -- in X certainly .. but from the linux console as well,
> > albeit to a lesser extent -- eventually boils down to the *NIX model
> > not having been designed from the ground up with security in mind.
> Huh?

Well, here's what the authors of The UNIX Haters' handbook have to say
as a preamble to Chapter 12. Security -- Oh, I'm Sorry Sir, Go Ahead,  I
Didn't Realize You Were Root:

"The term "Unix security" is, almost by definition, an oxymoron because
the Unix operating system was not designed to be secure, except for the
vulnerable and ill-designed root/rootless distinction. Security measures
to thwart attack were an afterthought. Thus, when Unix is behaving as
expected, it is not secure, and making Unix run "securely" means forcing
it to do unnatural acts. It's like the dancing dog at a circus, but not
as funny-- especially when it is your files that are being eaten by the

True, the book was published over ten years ago (with contributions from
respected security maven Simson Garfinkel) .. but regarding the nixes'
security model and this root/rootless business I can't see that anything
much has changed.

> > I just cannot see why you should need something extreme such as root
> > access to install/maintain software.
> And let users install any malware they get across on the internet just
> because it popped up a window with "install me"?

Well .. the malware could be the installer itself, no..?  It _is_
software after all.  If I was up to no good that's exactly where I'd
stick my mal-code..  only runs once .. under root, usually ..  does its
stuff .. removes itself.. and pop goes the weasel ..

Why should install programs run with the "extreme" privileges I
mentioned earlier when it is totally unnecessary in the first place?

Why risk compromising the entire system when you could limit the scope
of the exploit to a program maintenance/installation?

Think large ships ... how they are designed to ensure that if the
hull is breached .. water does not take over the entire vessel.

Besides, isn't this practice of switching to root whenever you install a
program in clear violation of the first -- 2nd, 3rd .. ?  principle of
computer security .. ?? -- ie. users of a given system should not be
granted more privileges than necessary to perform the tasks that fall
within the scope of their position.  

No reason I can think of why Joe Consultant should have read/write
access to the company's payroll files or other confidential data when
all he needs is permission to upgrade a couple of binaries in usr/bin.  

> > Maybe that with some contortions
> > this could be achieved within the *NIX security model by defining a
> > privileged group and making sure software packaging takes this into
> > account .. maybe not.  Not for me to decide.
> > 
> > :-)
> Of course this can be done. It's even not so difficult to set-up using
> sudo.

I'm not really convinced.  I'm no expert, but sudo does sound a bit like
the "dancing dog at the circus" to me ..  For one thing, KISS is another
fundamental principle where system security is concerned and in this
respect, sudo does not seem to go in the right direction.



Reply to: