[806] in linux-security and linux-alert archive
Re: [linux-security] Admin note (recent traffic surge).
daemon@ATHENA.MIT.EDU (Brian Davidson)
Sun Jun 16 15:30:26 1996
Date: Thu, 13 Jun 1996 00:37:49 -0400 (EDT)
From: Brian Davidson <bdavids1@mason2.gmu.edu>
To: Woody Weaver <woody@altair.stmarys-ca.edu>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0uTbSu-0005KYC@altair.stmarys-ca.edu>
On Tue, 11 Jun 1996, Woody Weaver wrote:
> I have one question about uid 0 accounts. Of course one wants to give
> minimum permissions to accounts, and the more uid 0 passwords floating
> around the more risks one takes. Generally, the "all the eggs in one
> basket and watch that basket very closely" is a good idea. However,
> as one author noted, if you permit a novice to su and do work, there
> is a possibility that they might do something that prevents normal use
> of the system, such as accidentally changing the root password.
How effective is sudo in situations like this? That can give certain
users rights to run a limited set of programs as root. I've got sudo
rights on a few systems, and can't crash the system, or do anything super
fancy with the limited set of commands that I've been given.
I've wondered for a while about how secure sudo really is. I realize
that allowing a user to run a program that can escape to a shell would
defeat this program. Well selected programs seem to be pretty secure
though (I think... I haven't dug around the code yet, though).
> My solution, of course, is just to have a separate boot media handy;
> given that I'm running linux on a PC, its easy to boot off of floppy
> and mount the main file system on a convenient mount point -- physical
> security beats software security. But some linux boxes may be in
> inconvient locations, or be hardware modified as to be unable to boot
> from floppy.
> It is reasonable to have two uid 0 accounts? The idea is to minimize
> risk but not permit single points of failure. The downside, of
> course, is that with both "root" and "tuber" things like ftp or nfs
> access to tuber do not have built in protection as it does against
> root, so ideally one would have to patch daemons to recognize both
> accounts as special (or get the authors to protect against uid 0
> accounts rather than a specific username).
I don't see why 2 uid 0 accounts are necessary. Various security
schemes have been dreamed up in the past which split the sensitve
security areas into the control of different "users". The problem is, if
I can get into the one that controls the memory, then I can change all of
my permissions (if that info is loaded into memory), and do whatever I
want anyway.
If I just can hack the part to let me access the drives, then I can patch
the kernel, so next time it boots I've got back doors, etc.
Because of this, I think that 1 account which you guard very well is the
best solution. One account is hard enough to keep an eye on, anyway.
__________________________
Brian Davidson
bdavids1@mason.gmu.edu
http://mason.gmu.edu/~bdavids1