[804] in linux-security and linux-alert archive
Re: [linux-security] standard users,groups,perms?
daemon@ATHENA.MIT.EDU (Paul McNabb)
Sun Jun 16 15:30:25 1996
Date: Thu, 13 Jun 1996 08:36:33 -0500
From: mcnabb@argus.cu-online.com (Paul McNabb)
To: linux-security@tarsier.cv.nrao.edu
> Date: Tue, 11 Jun 1996 23:44:28 -0400 (EDT)
> From: Sanjay Kapur <root@kbs.net>
>
> On Tue, 11 Jun 1996, Rogier Wolff wrote:
>
> > To do this, every uid should get
> > a bitvector of privileges. Every "suser()" call in the
> > kernel should get mapped to one of the bits. The default
> > setup sets all of these bits to "enabled" for "root" and
> > "disabled" for all other users.
> >
> > A secure setup would deminish the vector for "root"(?) and increase
> > it for other users. (e.g. the "bind to low ports" bit and the
> > "change uid to normal uids" bit should be on for "sendmail"
> > running as user "mailerdeamon") The login program only needs
> > change_uid (even to root? Maybe not. Abolish root logins!)
>
> [Mod: Quoting trimmed. --Jeff]
>
> VMS, Secure VMS etc. have this and it is very well documented. Another
> thing that higher level security requires is Access Control Lists (ACLs)
> rather than the very simplistic user/group/world security model of Unix.
You can do exactly the same thing with Solaris 2.4/5. User ID 0 can be a
regular user with no special characteristics at all. All of the normal
root privileges can be split up and assigned to programs rather than to
a user, and then limited access can be given to the programs. There are
attributes you can assign to a Java-enabled browser so that even if you
are running it as root (on standard Solaris 2.4/5) and the applets can
issue any system call sequence, you can still protect any file system
object.
There are all kinds of this security out there, people just have to know
about it and be willing to use it.
paul
------------------------------------------------------------
Paul McNabb mcnabb@argus.cu-online.com
Argus Systems Group, Inc. TEL 217-384-6300
1405A East Florida Avenue FAX 217-384-6404
Urbana, IL 61801 USA
------------------------------------------------------------