From owner-freebsd-security  Sat Sep 23 10:12:18 2000
Delivered-To: freebsd-security@freebsd.org
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by hub.freebsd.org (Postfix) with ESMTP
	id 21DB637B43C; Sat, 23 Sep 2000 10:12:13 -0700 (PDT)
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.9.3/8.9.3) id LAA11575;
	Sat, 23 Sep 2000 11:12:04 -0600 (MDT)
Message-Id: <200009231712.LAA11575@faith.cs.utah.edu>
Subject: Re: rsh/rlogin (was Re: sysinstall DOESN'T ASK, dangerous defaults!)
To: Cy.Schubert@uumail.gov.bc.ca
Date: Sat, 23 Sep 2000 11:12:04 -0600 (MDT)
Cc: green@FreeBSD.ORG (Brian F. Feldman),
	ahd@kew.com (Drew Derbyshire), freebsd-security@FreeBSD.ORG
In-Reply-To: <200009231701.KAA53314@passer.osg.gov.bc.ca> from "Cy Schubert" at Sep 23, 2000 10:01:36 AM
From: "David G. Andersen" <dga@pobox.com>
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Lo and behold, Cy Schubert once said:
> 
> More on capabilities.  To do capabilities right apps like su, sudo, and
> ksu would need to be replaced by an admin application that would only
> allow the admin to manage the system, nothing more.  I suppose one could
> have an su application that would have all the capabilities in the world
> but then again what would be the point?  It would be a gaping security
> hole just waiting to be exploited.

  Boggle.  You yourself state later:

> application that would be a gaping hole.  Even though many of the risks
> posed by setuid applications would be mitigated.

  There you go.  Even if you still have the
"administrator-as-god-after-authentication" routine (which, I think, is to
some degree an intractable problem), capabilities still take  you vastly
farther down the road of least privilege than ordinary *nix all-or-none
style permissions.

  Without least-privilege administration tools, a capability-based system
isn't complete -- but it's still MUCH, MUCH better than what we have
now!  Don't torpedo a good thing because it's not perfect.  It never will
be;  a system where I can 'chmod a-s /usr/sbin/sendmail' makes me a lot
happier already.

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message