From owner-freebsd-security Mon Jul 7 08:06:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA17823 for security-outgoing; Mon, 7 Jul 1997 08:06:05 -0700 (PDT) Received: from androcles.com (androcles.com [204.57.240.10]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA17813 for ; Mon, 7 Jul 1997 08:06:00 -0700 (PDT) Received: (from dhh@localhost) by androcles.com (8.8.6/8.6.12) id IAA02876; Mon, 7 Jul 1997 08:01:43 -0700 (PDT) Message-ID: X-Mailer: XFMail 1.0 [p0] on FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199707061827.OAA23298@chaos.amber.org> Date: Mon, 07 Jul 1997 07:48:48 -0700 (PDT) From: "Duane H. Hesser" To: Christopher Petrilli Subject: Re: Security Model/Target for FreeBSD or 4.4? Cc: freebsd-security@FreeBSD.ORG, Adam Shostack , Colman Reilly , "Jordan K. Hubbard" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk There is a Version 7 document by Dennis Ritchie, available online, which ought to be a good beginning for a study or discussion of Unix security: http://plan9.bell-labs.com/7thEdMan/vol2/security This is troff source (and the marcros are also available). In fact, most of the Version 7 manual sources for volumes 1 and 2 are at that address (bookmark it NOW, before you forget). Another applicable document you will find there is http://plan9.bell-labs.com/7thEdMan/vol2/password This is a short discussion by Robert Morris and Ken Thompson regarding password security. I seem to recall another document--prbably from around that same time-- which discussed the "friendly enemies" approach to checking security. I'll see if I can find it in my old manuals (does it ring a bell with anyone?). On 06-Jul-97 Christopher Petrilli wrote: >In reply to Jordan K. Hubbard (jkh@time.cdrom.com) on 7/5/97 7:47 PM: > >>> I also spent a couple of hours fighting with Alta Vista looking for relevant >>> documents and didn't find very much. Any other suggestions? >> >>/usr/src? :) >> >>Seriously, I doubt you'll find that anyone has sat down and documented >>this aspect of the system specifically. If you want to study the >>security implementation in detail, the sources remain the first and >>foremost resource. In fact, they probably represent the ONLY resource. >>Good luck! > >I will note that there has been off and on talk of a C2 certified FreeBSD >implementation, which would require documentation. > >I think it's important to understand that few OSes (outside the "big >boys" like VMS, MVS, VM, GUARDIAN, etc.) have documented formal security >polcies. Mostly it's just whatever a programmer feels like. > >Christopher > >-- >| Christopher Petrilli "That's right you're >| petrilli@amber.org not from Texas." > > -------------- Duane H. Hesser dhh@androcles.com