[81] in WWW Security List Archive
Re: GSS API (as a DLL)...
daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Fri Aug 19 08:26:35 1994
From: hallam@dxal18.cern.ch
To: www-security@ns1.rutgers.edu
Cc: hallam@dxal18.cern.ch
In-Reply-To: Your message of "Fri, 19 Aug 94 00:09:15 EDT."
<9408190409.AA19012@oliver.MIT.EDU>
Date: Fri, 19 Aug 94 11:36:53 +0200
Re UNIX being as full of holes as the cheese is over here.... Yep I think
we all know that.
My plan was to require the client and server be run with SETUID to be able
to get at the key database. Its easier to protect the cluster secret key than
piddle round with protection like... The observation is that on any
multi-user system there is no way of stopping the sysop from finding out
such a key unless it is physically protected (smartcard). Thus instead of
piddlin' about giving every user their own key and further piddling to
distribute it, best have as few keys to go "walkies".
My UNIX box may be as full of holes as the cheese here but I trust it more
than I do the users.
So instead of installing the client setuid, install the DLL/shared image/
wotever with the relevant rights identifier. That way spoofing the library
is no help - you no longer have access to the keys.
OF course this may not work on UNIX boxen but the only way of
repairing that is isomorphic to the identity of the proverbial woodcutters axe.
Let us try to get an idea of wot we wanna do and what we can do. The two are
not the same.
1) We can do shared images
2) We can probably do dynamic linking of shared images
3) We can certainly validate code modules taken off the net prior to loading
4) We can make the security scheme modular for drop in replacement.
So far so good :-
5) We could if we REALLY WEALLY WANTED TO :-
Take a security module off the net and link it in to a running
system dynamically.
Shared images are inbetween. But since libwww can be a shared image the
security mechanism inside it will be so inevitably. Basicaly if you have
no faith in the security of shared libraries on your system then do not
use them at all. There is however absolutely no reason why a trojan horse
in a security product should be worse in its effect than another trojan
horse. Hacking xv so that it rm's the filesystem or the old favourite
alias ls rm -r ~/. ;
Anyone who wants to use (5) before we can do (1-4) needs a long rest. Preferably
with nice relaxing views and comfortable but secure clothing and lots of
sympathetic people to talk to....
Phill H-B
PS:- Am currently hacking a license/certificate proggy together as a part
of Shen... Preview time :
Issuer: CERN
Authorization: WEB-94-001
Authorized-User: Phillip M. Hallam-Baker CERN ECP PTG
Product-Name: Shen
Producer: CERN-PTG
Units: 0
Version: 1.0
Start-Date: 01-Jan-1994
Expriy-Date: 31-Dec-1995
Availability: 0
Options:
Hardware-ID: 45342
MIC-Body: RSA,RSA-MD5,uuuuuuuuuuuuuu==
MIC-Head: RSA,RSA-MD5,uuuuuuuuuuuuuu==
The MIC Body being the checksum for the tar file or other distributifying
mechanism. The MIC-Head being the signature of the rest of the certificate
and the other bits being fairly arbitraty MIME headers.
Capitalists: please note the Money grabbifying potential $-)
[Ps appols for the mode of speech, went to see A Clockwork Orange last night]
