[912] in linux-security and linux-alert archive
Re: [linux-security] security idea
daemon@ATHENA.MIT.EDU (Stephen C. Tweedie)
Tue Jul 16 05:51:29 1996
Date: Mon, 15 Jul 1996 22:59:47 +0100
From: "Stephen C. Tweedie" <sct@dcs.ed.ac.uk>
To: "Peter J. Braam" <braam@maths.ox.ac.uk>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960713125339.353A-100000@seal.stelias.com>
Hi,
On Sat, 13 Jul 1996 12:54:02 -0700 (PDT), "Peter J. Braam"
<braam@maths.ox.ac.uk> said:
> I wonder if the following has been considered already.
> Many security issues would be helped if there was one extra user which
> could su to any other user, but not to uid zero. Let's call this user
> "super".
> Suid root programs might still have to start as root, to listen on a
> priviliged port for example, but could then relinquish this uid 0 for uid
> super, and do what they need to do. Sendmail is a good example.
The POSIX.6 proposals deal with this already, and in a much more
flexible manner. By splitting root privilege into a number of
independent process rights, they allow processes to inherit (or gain,
via a suid-like mechanism) only those rights which they need.
Furthermore, the process can discard any of those rights in the future
once they are no longer necessary.
Sendmail is actually a bad example. It needs access to certain
mail-specific files, but that can be done by the normal user/group
mechanism anyway. It does not need the privilege of writing files as
another user: a separate delivery program should be used for this to
minimise the possibility of that privilege leaking out of a program
bug. And it _certainly_ shouldn't be given root privilege if all it
needs to do is to bind to a privileged port.
Cheers,
Stephen.
--
Stephen Tweedie <sct@dcs.ed.ac.uk>
Department of Computer Science, Edinburgh University, Scotland.