Date: Thu, 1 Nov 2001 15:15:52 +0100 From: Stijn Hoop <stijn@win.tue.nl> To: Anthony Atkielski <anthony@atkielski.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Tiny starter configuration for FreeBSD Message-ID: <20011101151552.I70817@pcwin002.win.tue.nl> In-Reply-To: <00db01c162d9$3272bc90$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 01, 2001 at 02:29:11PM %2B0100 References: <005a01c161ed$a19933c0$1401a8c0@tedm.placo.com> <5.1.0.14.2.20011101165340.02192a40@pop.ozemail.com.au> <005301c162bd$59ac2740$0a00000a@atkielski.com> <006e01c162bf$8c5d87e0$0b64a8c0@becca> <006b01c162c4$c6597cb0$0a00000a@atkielski.com> <20011101224321.H35710@k7.mavetju.org> <009601c162cd$70da3190$0a00000a@atkielski.com> <20011101135558.H70817@pcwin002.win.tue.nl> <00db01c162d9$3272bc90$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 01, 2001 at 02:29:11PM +0100, Anthony Atkielski wrote:
> > This functionality is not in the base OS as far as I know.
>
> It's built directly into the kernel. It is present in all versions of
> NT/2000, as part of the base OS. Security is very deeply embedded in
> Windows NT. Nothing runs without a security context.
That's good. Aside from the fact that UNIX has 1 possible security context
(root/non-root) instead of many, that's the same then.
> > ?! *that's* a login? you mean you can actually log
> > on to a Windows domain using http, using base OS
> > functionality?
>
> Yes. If you enable authentication on IIS and specify that it is Windows
> domain authentication, users will be logged into the domain when they
> connect to the Web server, as I recall. If they are already logged into
> the domain, this is transparent to the user. I used to use this on an
> Intranet based on Windows, to provide maximum security and transparency at
> the same time. Depending on who you were, you could see completely
> different versions of a Web site.
Well, the concept of logging in to a web site is not new to me, but gaining
administrator privileges on a remote machine by simply surfing to it is
functionality that I didn't know about. I don't know if this is what I'd
want; what if the server is compromised? Or worse, your client is compromised?
You'll gain the same privileges on the server.
Yes, you're right, that's not necessarily 'root' or equivalent; but it's
still a breakin that's spreading over the network.
All of this has nothing to do with OS security IMHO, it's a part of your
setup, whether you're running NT or UNIX or whatever. You have to decide on
the level of access, and for most people, UNIX's root + groups approach
simply works. If you really want the above functionality, then probably
Windows is better.
I still don't see why all of this makes UNIX insecure however.
> > ... *and* do something useful?
>
> As useful as any Web application gets. There are administrative functions now
> that you can do from the Web, and these require domain login.
See my comments above - I think it's a pretty scary thought that I can use
a browser to propagate my administrator privileges.
> > Why does it work so well in practice then?
>
> It doesn't. But if you never used a more flexible system, you might not
> notice.
Sorry, I should have phrased that as: "Why does it work so well in practice for
so many people then?" - obviously, your setup has higher granularity demands
and Windows fits those. Fine, but that doesn't make it more secure.
> > I'd think we'd all gone to a 'better' model if
> > there was one ...
>
> Many organizations have ... it's one of the reasons for NT's success (security
> is one of the significant advantages of NT over UNIX).
I doubt that many organizations went over to NT on the basis of
'better security'. Care to share a story?
> > ... tell you what, you can also grant privileges
> > in *nix on another level than 'root/non-root'
> > nowadays (think groups, sudo, countless other possibilities).
>
> Nope. None of these replaces the fundamental limitation of root = everything.
True. But they do deliver better granularity at a user level - now you can
have junior sysadmins that can't do everything. Or a helpdesk that can only
reset passwords. That's what you wanted isn't it?
I do agree with you that having most daemons run as root by default is not
secure, but with proper care UNIX can work around that deficiency (and
most unices do so nowadays - as in sandboxing named and other such measures).
> > And that's why we need to give all users
> > administrator access because otherwise nobody
> > can install any software?
>
> No, you need to do that because you don't understand NT, or because the
> developers writing the software didn't understand NT, or designed their
> software poorly.
In some ways I'm in above my head; I don't know a lot about NT - but I
have 2 NT admins right around the corner who are more in the know, and they
tried to set this up and failed. Indeed, most software written for NT
doesn't understand it's security model. But that's one of the things that
makes it weaker - you have to use the software (otherwise, why would you
run the OS?), and if the security model of the software is weak, it takes
the OS with it. At least, in the typical security/usability trade off. [1]
Supposedly this should be fixed in Windows XP, but they also claimed that
when delivering 2000, so I don't hold my breath. Would be nice if software
vendors finally got it though.
> > It's all possible - go read up on sudo(1) ...
>
> I already have, and it is nothing like the architecture I describe. sudo
> impersonates; but in NT, you actually execute as an individual user with
> specific privileges to do certain things.
>
> In fact, the NT architecture is far more elaborate than what you normally see
> exposed in the standard user interfaces. It is possible to control these
> things at a very fine level. These levels are not exposed because so few
> sites are interested in them, and they tend to be confusing to those who
> don't understand them.
Of course - UNIX does not have as fine grained access control as NT (although
ACL's in -CURRENT should change that a bit). But it's also usage and setup
that makes a system secure. How many NT admins will really make a service
run as a single user? How many services will actually require administrator
privileges to be fully functional?
> > ... yes things still run as root ...
>
> And that is the root of the problem, so to speak. As long as you have that
> constraint, you have a big potential security problem.
You have to limit the use of root because every use is a potential problem,
true. But you also have to limit usage of services on NT, or any other
potential security problem on that OS.
> > If you work with NT, you have to keep up with
> > the numerous vulnerability patches ...
>
> You have to do that with UNIX, too.
There tends to be less patches, and those that come along tend to be less
overall system affecting. Note that this is my opinion, not a cold hard fact.
> > ... not to mention the resource runouts ...
>
> I haven't seen these, as a general rule, even on systems running for years.
>
> Resource exhaustion is usually an application problem.
Yes, but most people do run applications on their servers. True, it's not
the fault of the OS then, but having an OS without applications seems rather
pointless. It's also true that having good hardware/drivers can make a lot of
problems disappear, but in general the perceived stability of NT is not as good
as UNIX. Unfortunately, it all also depends on the level of the sysadmin.
> > I'd rather work with 'glaringly obvious limited
> > security' that has proven itself for about 30
> > years already.
>
> Yes, your emotional attachment to UNIX is quite obvious.
It's not emotional - I'm still using Windows as well, but it just doesn't
fit my needs (and frequently just plain can't do what I want without requiring
me to buy more software, but that's a whole other story). Fortunately it seems
to fit yours.
> > Never been there. But somehow I also wonder;
> > if the concepts behind this system were so great,
> > why weren't they reimplemented somewhere?
>
> They were. Many operating systems owe a great deal to Multics. Even NT is
> partially inspired by Multics.
Just as UNIX was, or in some other respect?
> UNIX postdates Multics, but it was intended to be a simpler system, easy to
> administer and use. Unfortunately, this meant cutting out most of the
> security features.
Just what security features are we talking about then?
> > Yep, that's UNIX for you - and the first real argument
> > for someone to switch to an 'easier' OS, say Windows NT.
>
> It is sufficient in itself to justify the switch, for many organizations.
> There are other arguments, also, such as security and ease of administration
> (for unsophisticated sites).
I won't argue the ease of administration part, at least for various values
of 'administration'. But like I said above, I haven't heard of a site switching
to NT because of better security.
> > I'd really love to know what things that would be.
>
> Running with an effective UID other than 0 and performing tasks restricted to
> root, for example.
That's indeed impossible, because you're coming from the wrong angle - if
your UID != 0, you can't do tasks that require UID == 0.
If you mean, 'granting specific UID's permission for specific tasks' then
it's indeed impossible on a theoretical level; but there do exist valid
practical workarounds that achieve the same thing. I grant you that UNIX
is a bit more insecure in that respect, but to call it insecure is
truly exaggerated.
--Stijn
[1] We have actually considered having the helpdesk install the software
for the users, to avoid granting them administrator privileges.
Unfortunately in a research environment that's simply not possible -
it would mean a doubling of the support load at the least. How could
we have worked around this? Fix binary applications?
--
Q: Why is Batman better than Bill Gates?
A: Batman was able to beat the Penguin.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011101151552.I70817>