Bugtraq mailing list archives
Re: root permissions
From: tdarcos () access digex net (Paul Robinson)
Date: Fri, 26 Aug 1994 08:42:21 -0400 (EDT)
On Thu, 25 Aug 1994, KevinTX wrote:
Well, this is not a bug but a question on the design of most Unix systems. It seams to me, and I tried this on Ultrix 4.3, HPUX 9.01, Linux 1.1.x, when root opens a file, being the owner or not, the system does not check the file permissions before granting him access. The same goes for writting and unlinking a file.I've long considered this to be "wrong" as well. Forcing root to have to obey whether something is allowed to be writable by root would close up a lot of the various holes out there. Of course this creates problems with things like the traditional "passwd" program that would then have to know to do a chmod to give root write perms to the password file..
I don't know, but having seen three different other designs, I notice the most secure systems place account creation code as a system call rather than allowing a privelged user to simply create an account. RSTS/E, which is considered "bulletproof" because the sources were readily available and the administrators were often high-school and college students, got a lot of banging around by people who got to look at the internals and could figure ways to keep their systems from being invaded. (If these kids hadn't been the administrators they probably would have been trying to break into the system. When you already have priveleges there's no fun in trying to find them since you already have them. I know, I've been on both sides, once as a nonpriveleged user of a non-RSTS system and thirsting for priveleges, and then eventually becoming one of the administrators and having them, and using them to get what I had to do done.) Same thing with the Univac 90/60's VS/9 operating system which uses a system command to create or remove accounts. VS/9 was a mainframe operating system for an IBM 360 clone. When account creation is a kernel-level function (or supervisor-level function, in systems having more than 2 privelege levels) where the work is done by the operating system in response to a request by a priveleged process, for some reason this tends to be more secure than systems that do account creation at the process-level. Or at least it seems that way. Reports on Security Problems: To Subscribe write PROBLEMS-REQUEST () TDR COM Paul Robinson - paul () tdr com / tdarcos () MCIMail com / tdarcos () access digex net Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy () psg com> Voted "Largest Polluter of digex.general" by Mike <voss () orange digex net>
Current thread:
- Re: core symlinks, (continued)
- Re: core symlinks Greg Woods (Aug 25)
- Re: core symlinks Terje Normann Marthinussen (Aug 26)
- Re: core symlinks pluvius (Aug 25)
- Re: core symlinks Thomas D. Nadeau (Aug 25)
- Re: core symlinks Thomas D. Nadeau (Aug 25)
- Re: nfsbug Steve Salvini (Aug 25)
- Re: nfsbug Christopher Klaus (Aug 25)
- Re: nfsbug Rafi Sadowsky (Aug 25)
- root permissions Aleph One (Aug 25)
- Re: root permissions KevinTX (Aug 25)
- Re: root permissions Paul Robinson (Aug 26)
- Re: root permissions Peter Wemm (Aug 26)
- Re: nfsbug Christopher Klaus (Aug 25)