Date: Sat, 23 Sep 2000 11:12:04 -0600 (MDT) From: "David G. Andersen" <dga@pobox.com> To: Cy.Schubert@uumail.gov.bc.ca Cc: green@FreeBSD.ORG (Brian F. Feldman), ahd@kew.com (Drew Derbyshire), freebsd-security@FreeBSD.ORG Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!) Message-ID: <200009231712.LAA11575@faith.cs.utah.edu> In-Reply-To: <200009231701.KAA53314@passer.osg.gov.bc.ca> from "Cy Schubert" at Sep 23, 2000 10:01:36 AM
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Cy Schubert once said: > > More on capabilities. To do capabilities right apps like su, sudo, and > ksu would need to be replaced by an admin application that would only > allow the admin to manage the system, nothing more. I suppose one could > have an su application that would have all the capabilities in the world > but then again what would be the point? It would be a gaping security > hole just waiting to be exploited. Boggle. You yourself state later: > application that would be a gaping hole. Even though many of the risks > posed by setuid applications would be mitigated. There you go. Even if you still have the "administrator-as-god-after-authentication" routine (which, I think, is to some degree an intractable problem), capabilities still take you vastly farther down the road of least privilege than ordinary *nix all-or-none style permissions. Without least-privilege administration tools, a capability-based system isn't complete -- but it's still MUCH, MUCH better than what we have now! Don't torpedo a good thing because it's not perfect. It never will be; a system where I can 'chmod a-s /usr/sbin/sendmail' makes me a lot happier already. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009231712.LAA11575>