Bugtraq mailing list archives

Re: root permissions

From: tdarcos () access digex net (Paul Robinson)
Date: Fri, 26 Aug 1994 08:42:21 -0400 (EDT)


On Thu, 25 Aug 1994, KevinTX wrote:

    Well, this is not a bug but a question on
the design of most Unix systems. It seams to me, and
I tried this on Ultrix 4.3, HPUX 9.01, Linux 1.1.x,
when root opens a file, being the owner or not, the 
system does not check the  file permissions before
granting him access. The same goes for writting and
unlinking a file.


I've long considered this to be "wrong" as well.  Forcing root to 
have to obey whether something is allowed to be writable by root 
would close up a lot of the various holes out there.  Of course 
this creates problems with things like the traditional "passwd" 
program that would then have to know to do a chmod to give root write 
perms to the password file..


I don't know, but having seen three different other designs, I notice the 
most secure systems place account creation code as a system call rather 
than allowing a privelged user to simply create an account.

RSTS/E, which is considered "bulletproof" because the sources were 
readily available and the administrators were often high-school and 
college students, got a lot of banging around by people who got to look 
at the internals and could figure ways to keep their systems from being
invaded.  (If these kids hadn't been the administrators they probably 
would have been trying to break into the system.  When you already have 
priveleges there's no fun in trying to find them since you already have 
them.  I know, I've been on both sides, once as a nonpriveleged user of 
a non-RSTS system and thirsting for priveleges, and then eventually becoming 
one of the administrators and having them, and using them to get what I 
had to do done.)

Same thing with the Univac 90/60's VS/9 operating system which uses a 
system command to create or remove accounts.  VS/9 was a mainframe 
operating system for an IBM 360 clone.

When account creation is a kernel-level function (or supervisor-level
function, in systems having more than 2 privelege levels) where the work
is done by the operating system in response to a request by a priveleged
process, for some reason this tends to be more secure than systems that do
account creation at the process-level.  Or at least it seems that way. 


Reports on Security Problems: To Subscribe write PROBLEMS-REQUEST () TDR COM
Paul Robinson - paul () tdr com / tdarcos () MCIMail com / tdarcos () access digex net
Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy () psg com>
Voted "Largest Polluter of digex.general" by Mike <voss () orange digex net>

Current thread:

Re: core symlinks, (continued)
- - - Re: core symlinks Greg Woods (Aug 25)
    - Re: core symlinks Terje Normann Marthinussen (Aug 26)
  - Re: core symlinks pluvius (Aug 25)
  - Re: core symlinks Thomas D. Nadeau (Aug 25)
  - Re: core symlinks Thomas D. Nadeau (Aug 25)
- Re: nfsbug Steve Salvini (Aug 25)
  - Re: nfsbug Christopher Klaus (Aug 25)
    - Re: nfsbug Rafi Sadowsky (Aug 25)
  - root permissions Aleph One (Aug 25)
    - Re: root permissions KevinTX (Aug 25)
    - Re: root permissions Paul Robinson (Aug 26)
    - Re: root permissions Peter Wemm (Aug 26)