From owner-freebsd-security Sat Sep 23 11: 5:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 45EEF37B422; Sat, 23 Sep 2000 11:05:15 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA12815; Sat, 23 Sep 2000 11:05:11 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12807; Sat Sep 23 11:04:51 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id LAA53496; Sat, 23 Sep 2000 11:04:51 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdz53494; Sat Sep 23 11:03:54 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8NI3rV65692; Sat, 23 Sep 2000 11:03:53 -0700 (PDT) Message-Id: <200009231803.e8NI3rV65692@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdG65677; Sat Sep 23 18:03:04 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: "David G. Andersen" Cc: Cy.Schubert@uumail.gov.bc.ca, green@FreeBSD.ORG (Brian F. Feldman), ahd@kew.com (Drew Derbyshire), freebsd-security@FreeBSD.ORG Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) In-reply-to: Your message of "Sat, 23 Sep 2000 11:12:04 MDT." <200009231712.LAA11575@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 23 Sep 2000 11:03:04 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009231712.LAA11575@faith.cs.utah.edu>, "David G. Andersen" write s: > Lo and behold, Cy Schubert once said: > > > > More on capabilities. To do capabilities right apps like su, sudo, and > > ksu would need to be replaced by an admin application that would only > > allow the admin to manage the system, nothing more. I suppose one could > > have an su application that would have all the capabilities in the world > > but then again what would be the point? It would be a gaping security > > hole just waiting to be exploited. > > Boggle. You yourself state later: I'll give you the benefit of the doubt and agree I am somewhat undecided (confused) about what form the tools will look like. No one from the capabilities camp has shared their ideas about tools yet. If you're saying I've embarrassed myself. I think not. I thought I was opening up the discussion. > > > application that would be a gaping hole. Even though many of the risks > > posed by setuid applications would be mitigated. > > There you go. Even if you still have the > "administrator-as-god-after-authentication" routine (which, I think, is to > some degree an intractable problem), capabilities still take you vastly > farther down the road of least privilege than ordinary *nix all-or-none > style permissions. > > Without least-privilege administration tools, a capability-based system > isn't complete -- but it's still MUCH, MUCH better than what we have > now! Don't torpedo a good thing because it's not perfect. It never will > be; a system where I can 'chmod a-s /usr/sbin/sendmail' makes me a lot > happier already. In other words you agree with me after all. I have not seen any discussion about what the administration tools in a capabilities environment will look like and how will I as a manager be able to delegate responsibility and restrict access to certain functions to certain members of my team or to other individuals in an organisation. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message