Date: Sat, 23 Sep 2000 10:01:36 -0700 From: Cy Schubert <cschuber@uumail.gov.bc.ca> To: "Brian F. Feldman" <green@FreeBSD.ORG> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Drew Derbyshire <ahd@kew.com>, freebsd-security@FreeBSD.ORG Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) Message-ID: <200009231701.KAA53314@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Sat, 23 Sep 2000 12:13:43 EDT." <200009231613.e8NGDh560434@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200009231613.e8NGDh560434@green.dyndns.org>, "Brian F. Feldman" wri tes: > > > Having said that and taking my security officer hat off and putting my > > manager hat on. Most organisations that use SSH are using it > > illegally. With recent licensing changes and the fact that OpenSSH > > doesn't install all that cleanly on non-BSD platforms, e.g. no > > /dev/random, compile errors, and my customers report that OpenSSH > > sometimes hangs on Solaris 2.6 systems (probably related to the entropy > > gathering daemon that substitutes /dev/random on non-BSD systems), the > > quick and dirty solutions are: > > Or possibly related to Solaris 2.6 being increasingly ancient and buggy... > > > 6. Turning off or turning on of setuid bits of most setuid apps. > > Hopefully, this won't be useful soon because things will not be setuid and > just have the right capabilities :) Anything left suid will need to have > its architecture thought out a bit more -- most uses of it are very > suboptimal. More on capabilities. To do capabilities right apps like su, sudo, and ksu would need to be replaced by an admin application that would only allow the admin to manage the system, nothing more. I suppose one could have an su application that would have all the capabilities in the world but then again what would be the point? It would be a gaping security hole just waiting to be exploited. I think capabilities are a long way off right now until someone writes an interaface application to actually do sysadmin. Having said all that, I don't see the average sysadmin today wanting to go to a Microsoft-style model of system administration. So we'll be left with an su-like application that would be a gaping hole. Even though many of the risks posed by setuid applications would be mitigated. Even in the mainframe (MVS) world where they've separated the function of operations, security officer, and auditor so they can each watch each other gives each class of the above users broad god-like powers because you cannot predict the kinds of problems you'll be solving. Ideally we want a world where there are no setuid applications and no applications that will hand out god-like powers. I'm not convinced we will reach the ideal of no su and have applications that will proxy sysadmin for us because of the two points I made above. Thinking out loud here, coupling capabilities with some kind of authentication mechanism like PKI or single-signon across an organisation, where a central security officer would hand out distributed privileges on various systems to various principals might be a solution to my concern. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009231701.KAA53314>