Date: Sat, 23 Sep 2000 11:12:04 -0600 (MDT) From: "David G. Andersen" <dga@pobox.com> To: Cy.Schubert@uumail.gov.bc.ca Cc: green@FreeBSD.ORG (Brian F. Feldman), ahd@kew.com (Drew Derbyshire), freebsd-security@FreeBSD.ORG Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) Message-ID: <200009231712.LAA11575@faith.cs.utah.edu> In-Reply-To: <200009231701.KAA53314@passer.osg.gov.bc.ca> from "Cy Schubert" at Sep 23, 2000 10:01:36 AM
index | next in thread | previous in thread | raw e-mail
Lo and behold, Cy Schubert once said:
>
> More on capabilities. To do capabilities right apps like su, sudo, and
> ksu would need to be replaced by an admin application that would only
> allow the admin to manage the system, nothing more. I suppose one could
> have an su application that would have all the capabilities in the world
> but then again what would be the point? It would be a gaping security
> hole just waiting to be exploited.
Boggle. You yourself state later:
> application that would be a gaping hole. Even though many of the risks
> posed by setuid applications would be mitigated.
There you go. Even if you still have the
"administrator-as-god-after-authentication" routine (which, I think, is to
some degree an intractable problem), capabilities still take you vastly
farther down the road of least privilege than ordinary *nix all-or-none
style permissions.
Without least-privilege administration tools, a capability-based system
isn't complete -- but it's still MUCH, MUCH better than what we have
now! Don't torpedo a good thing because it's not perfect. It never will
be; a system where I can 'chmod a-s /usr/sbin/sendmail' makes me a lot
happier already.
-Dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009231712.LAA11575>