From owner-freebsd-hackers Mon Jun 16 19:16:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA16974 for hackers-outgoing; Mon, 16 Jun 1997 19:16:33 -0700 (PDT) Received: from pandora.hh.kew.com (root@kendra.ne.highway1.com [24.128.53.73]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA16968 for ; Mon, 16 Jun 1997 19:16:31 -0700 (PDT) Received: from fantasy-factory.net.kew.com (uucp@fantasy-factory.net.kew.com [204.96.41.103]) by pandora.hh.kew.com (8.8.5/8.8.5) with ESMTP id WAA03027; Mon, 16 Jun 1997 22:15:07 -0400 (EDT) Received: from kew-sonata.UUCP (uucp@localhost) by fantasy-factory.net.kew.com (8.8.5/8.8.5) with UUCP id WAA05987; Mon, 16 Jun 1997 22:15:05 -0400 (EDT) Received: by sonata.uucp.kew.com (UUPC/extended 1.12s); Mon, 16 Jun 1997 22:14:53 -0500 Message-ID: <33a5f31d.kew-sonata@sonata.uucp.kew.com> Date: Mon, 16 Jun 1997 22:14:48 -0500 From: "Drew Derbyshire" Organization: Kendra Electronic Wonderworks (PO Box 80144, Stoneham MA 02180) To: "Michael Smith" Cc: hackers@freebsd.org Subject: Re: (Fwd) Re: Serious potential IMAP problem Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 17 Jun 1997 09:43:25 +0930 (CST), "Michael Smith" wrote: > Oh, it's our dear little pal Mark Crispin. He's such a charmer, don't > you think? Suffice to say I did not find this comment charming. > > > In good operating systems, there is a non-root state which equates to being > > > "not logged in"; it issue an unprivileged system call to log in with > > > authentication credentials in the call. The kernel validates the > > > authentication credentials and sets the process's user id on success. > > This in turn requires the kernel have the mechanism to access the > credential store, which may equate to bundling every possible password > access mechanism with the kernel; yeah, let's suck in all the Kerberos > stuff, NIS, Radius, S/Key, ssh, Tacacs, SecurID, the Captain Midnight > Secret Decoder Wheel algorithm, and so on. This is not correct. For example, FreeBSD file systems need not be compiled into the kernel to be a system call. Likewise, IBM VM/ESA both use external file systems and external security packages with well defined API's which are routed through the kernel but run as started (daemon) tasks, which would have the required access. Likewise, numerous systems allow processes acting as "nobody" to execute commands (login, date, time, in some cases message) which in the case of a command allow the priv level to be upgraded. > You'll note that there's no actual attempt to justify why > authentication by root and subsequent sacrifice of priveledge is > actually _bad_. This is fairly clear to me -- one never wants to grant more access than is needed, because if excessive access is never gained, it cannot be abused by programming error or attack before being surrendered. It also discourages the practice for every setuid program to have direct access to the sensitive security database. > Alternatively, consider using the PAM framework, which is compact, > open to analysis, and once analysed, every program that uses it is > much simpler to analyse in itself. If PAM interests you, see the > references off my homepage (http://www.smith.net.au/~mike). As shared library(s), it still appears to encourage granting root to a program as trivial a POP3 server which only needs normal user access. This temporary root access is, to me, inherently more dangerous than taking a program from no access to the specific user id without a stop at the higher priv level. -ahd- -- Internet: ahd@kew.com Voice: 617-279-9810 "During emergency landing, replace dinner tray and bring seat to upright position. Extinguish all smoking materials . . . including the spacecraft, if possible." - Spaceman Spiff (aka Calvin)