[806] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Admin note (recent traffic surge).

daemon@ATHENA.MIT.EDU (Brian Davidson)
Sun Jun 16 15:30:26 1996

Date: Thu, 13 Jun 1996 00:37:49 -0400 (EDT)
From: Brian Davidson <bdavids1@mason2.gmu.edu>
To: Woody Weaver <woody@altair.stmarys-ca.edu>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0uTbSu-0005KYC@altair.stmarys-ca.edu>

On Tue, 11 Jun 1996, Woody Weaver wrote:

> I have one question about uid 0 accounts.  Of course one wants to give
> minimum permissions to accounts, and the more uid 0 passwords floating
> around the more risks one takes.  Generally, the "all the eggs in one
> basket and watch that basket very closely" is a good idea.  However,
> as one author noted, if you permit a novice to su and do work, there
> is a possibility that they might do something that prevents normal use
> of the system, such as accidentally changing the root password.

How effective is sudo in situations like this?  That can give certain 
users rights to run a limited set of programs as root.  I've got sudo 
rights on a few systems, and can't crash the system, or do anything super 
fancy with the limited set of commands that I've been given.  

I've wondered for a while about how secure sudo really is.  I realize 
that allowing a user to run a program that can escape to a shell would 
defeat this program.  Well selected programs seem to be pretty secure 
though (I think...  I haven't dug around the code yet, though).

> My solution, of course, is just to have a separate boot media handy;
> given that I'm running linux on a PC, its easy to boot off of floppy
> and mount the main file system on a convenient mount point -- physical
> security beats software security.  But some linux boxes may be in
> inconvient locations, or be hardware modified as to be unable to boot
> from floppy.


> It is reasonable to have two uid 0 accounts?  The idea is to minimize
> risk but not permit single points of failure.  The downside, of
> course, is that with both "root" and "tuber" things like ftp or nfs
> access to tuber do not have built in protection as it does against
> root, so ideally one would have to patch daemons to recognize both
> accounts as special (or get the authors to protect against uid 0
> accounts rather than a specific username).

I don't see why 2 uid 0 accounts are necessary.  Various security 
schemes have been dreamed up in the past which split the sensitve 
security areas into the control of different "users".  The problem is, if 
I can get into the one that controls the memory, then I can change all of 
my permissions (if that info is loaded into memory), and do whatever I 
want anyway.

If I just can hack the part to let me access the drives, then I can patch 
the kernel, so next time it boots I've got back doors, etc.

Because of this, I think that 1 account which you guard very well is the 
best solution.  One account is hard enough to keep an eye on, anyway.

__________________________
Brian Davidson
bdavids1@mason.gmu.edu
http://mason.gmu.edu/~bdavids1 

home help back first fref pref prev next nref lref last post