[840] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sudo limiting

daemon@ATHENA.MIT.EDU (Miller, Raul D.)
Mon Jun 24 14:58:07 1996

From: "Miller, Raul D." <RDMiller@legislate.com>
To: leitner@prz.tu-berlin.de, owner-linux-security@tarsier.cv.nrao.edu
Cc: blue@buttercup.cybernex.net, linux-security@tarsier.cv.nrao.edu
Date: Fri, 21 Jun 96 19:20:00 PDT

Hacking /bin/passwd offers *no* security against someone with root access.

Remember, all it's doing is modifying some files.  It's always possible to do 
this with other tools (e.g. an editor, a private copy of passwd).

A right way to deal with this problem, in my opinion, is

(1) logging -- keep the logs off the multi-user system.  Also, stay outside
the computer when dealing with people who do things that they aren't supposed
to (like disable logging, or change root password or whatever).

(2) encryption -- this isn't as much of a win as you might think, because
it's often possible to grab snapshots of the encryption handling program.
This is about as secure as handing out the passwords.  If you can get the
encryption done in a non-multi-user context this can be a good thing.  When 
combined with logging it's even better.

Unfortunately, both of these mechanisms have drawbacks -- they can seriously 
impair the usefulness of a collaborative system.  A better solution, if you 
can work it, is to partition the system so that secure information is not 
available on a system that can be accessed by people who shouldn't have it.  
Of course, that doesn't usually work either.

A compromise, and it's looking better to me every week, is the Posix.6 stuff 
that's being worked on for Linux (not ready yet).

-- 
Raul

home help back first fref pref prev next nref lref last post