[752] in linux-security and linux-alert archive
Re: [linux-security] standard users,groups,perms?
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Thu Jun 6 13:09:56 1996
To: jsdy@cais.cais.com (Joseph S. D. Yao)
Date: Thu, 6 Jun 1996 09:55:09 +0200 (METDST)
Cc: jjr@zilker.net, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199606051931.PAA24605@cais2.cais.com> from "Joseph S. D. Yao" at Jun 5, 96 03:31:03 pm
From: R.E.Wolff@et.tudelft.nl (Rogier Wolff)
X-Return-Receipt-To: wolff@erasmus.et.tudelft.nl
> I always insist that absolutely nothing at all whatsoever on the file
> system be owned by root. Nothing. At all. Unless there is no other
> way to do it (whatever the "it" might be). There should be a small set
> of accounts whose passwords are protected equally as well as root's,
> that are used for maintaining the various parts of the system. These
> would be, e.g., bin, sys, adm, daemon, kmem, mail, uucp, lp, games,
> field, etc. Directories and files - ESPECIALLY setuid programs (and
> more of those should be setgid) - should be owned by one of these, and
> NOT by root. This would reduce immensely the number of times that it
> would be "necessary" to be root to perform some task or other; and thus
> the number of windows of opportunity for certain types of attack - and
> for simple mistakes.
And in practise, the "root" account is better protected by such
provisions as securetty (can root login on /dev/modem, /dev/pty0?)
nfs root->nobody remapping, rhosts' special case for "root"
(Not honouring /etc/hosts.equiv) etc etc.
So I agree with you that for a set of unexperienced administrators,
it would be nice to have each of them only capable of creating havock
with only part of the system.
Once you can get all applications(*) to treat uids < SOME_LIMIT the
same as "root" I would start to agree with you.
Roger.
(*) And it will be hard to verify that we've modified indeed ALL
applications.....
--
** Q: What's the difference between MicroSoft Windows and a virus? **
** A: Apart from the fact that virusses install easier, none. **
** EMail: R.E.Wolff@et.tudelft.nl * Tel +31-15-2783643 or +31-15-2137459 **
*** <a href="http://einstein.et.tudelft.nl/~wolff/">my own homepage</a> ***