From owner-freebsd-questions Thu Nov 1 9:58:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id F342637B405 for ; Thu, 1 Nov 2001 09:58:38 -0800 (PST) Received: from contactdish (aboukir-101-2-1-atkielsk.adsl.nerim.net [62.4.19.136]) by atkielski.com (8.11.6) id fA1HwGd60622; Thu, 1 Nov 2001 18:58:16 +0100 (CET) Message-ID: <001401c162fe$d4c8cff0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "FreeBSD Questions" References: <005a01c161ed$a19933c0$1401a8c0@tedm.placo.com> <5.1.0.14.2.20011101165340.02192a40@pop.ozemail.com.au> <005301c162bd$59ac2740$0a00000a@atkielski.com> <006e01c162bf$8c5d87e0$0b64a8c0@becca> <006b01c162c4$c6597cb0$0a00000a@atkielski.com> <20011101224321.H35710@k7.mavetju.org> <009601c162cd$70da3190$0a00000a@atkielski.com> <20011101135558.H70817@pcwin002.win.tue.nl> <00db01c162d9$3272bc90$0a00000a@atkielski.com> <20011101151552.I70817@pcwin002.win.tue.nl> Subject: Re: Tiny starter configuration for FreeBSD Date: Thu, 1 Nov 2001 18:58:33 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Stijn writes: > That's good. Aside from the fact that UNIX has > 1 possible security context (root/non-root) > instead of many, that's the same then. That's like saying that two cars are the same because they both have two speeds: moving and stationary. > Well, the concept of logging in to a web site is > not new to me, but gaining administrator privileges > on a remote machine by simply surfing to it is > functionality that I didn't know about. Remote administration has been around for quite a while, and not just on Windows machines. You can even telnet into a UNIX system as root, if you want, and if you enable it. > I don't know if this is what I'd want; what if > the server is compromised? If the server is compromised, standing next to it isn't any more secure than being a thousand miles away. > Or worse, your client is compromised? If it's your machine, you should be able to protect it. > Yes, you're right, that's not necessarily 'root' > or equivalent; but it's still a breakin that's > spreading over the network. Hardly. You've taken for granted that a compromise has occurred, and now you are extrapolating upon that without questioning its validity or plausibility. It is perfectly possible to establish secure sessions over long distances between two correspondents. Distance in itself does not necessarily correlate with risk. > You have to decide on the level of access, and > for most people, UNIX's root + groups approach > simply works. It works simply, yes. For many applications, it is sufficient. > I still don't see why all of this makes UNIX > insecure however. It is relatively less secure than Windows NT, for reasons I have previously explained. UNIX is not high on the list of secure operating systems; in fact, it's not really on the list at all, although some hybrid versions of UNIX are quite secure. > See my comments above - I think it's a pretty > scary thought that I can use a browser to propagate > my administrator privileges. Propagate? I'm not sure what you mean. If you can perform administration in front of the machine, what's scary about being able to do it from home? > Sorry, I should have phrased that as: "Why does > it work so well in practice for so many people then?" > ... Most people don't care about security, so the convenience of UNIX is more attractive to them than the poor security is discouraging. > ... obviously, your setup has higher granularity > demands and Windows fits those. Fine, but that > doesn't make it more secure. Your second statement conflicts with your first. If you require that granularity, you need an OS that provides it; one that does not is unacceptably insecure. > I doubt that many organizations went over to NT > on the basis of 'better security'. Care to share a story? Organizations with stringent security requirements don't want their stories shared; sometimes they even put this in writing. > True. But they do deliver better granularity at > a user level - now you can have junior sysadmins > that can't do everything. Or a helpdesk that can only > reset passwords. That's what you wanted isn't it? Yes, and Windows NT delivers that. I've implemented it. > I do agree with you that having most daemons run > as root by default is not secure, but with proper > care UNIX can work around that deficiency (and > most unices do so nowadays - as in sandboxing > named and other such measures). Proper care can keep all sorts of systems secure; but the less secure the system is inherently, the more time and attention are required to maintain security. Lapses are more likely, and kludges multiply. > ... but I have 2 NT admins right around the corner > who are more in the know, and they tried to set > this up and failed. Without knowing more about the specific case, I cannot comment. > Indeed, most software written for NT doesn't understand > it's security model. Hardly anyone understands the NT security model in detail; most people aren't interested, and even for those who are, documentation is scanty. > But that's one of the things that makes it weaker > - you have to use the software (otherwise, why would > you run the OS?), and if the security model of the > software is weak, it takes the OS with it. Only if the OS trusts it. But applications can be untrusted, in which case they are not a threat to security. > How many NT admins will really make a service > run as a single user? Many installation procedures recommend this and describe how to do it. It is possible to run services under the system account, however, and many services do run that way, if they are trusted and require the access. > How many services will actually require administrator > privileges to be fully functional? It depends on what the system is doing. NT doesn't really divide privileges into administrator/user categories, but there is a set routinely granted to certain classes of administrator, and denied to the most ordinary users. > You have to limit the use of root because every > use is a potential problem, true. But you also have > to limit usage of services on NT, or any other > potential security problem on that OS. No, that's not the issue. If anyone requires even one privilege that must run as root, then he must run as root--but running as root also gives him every other privilege on the system. It's like having only one security classification for confidential information, with everyone either having access to all of it or none of it. Obviously, that is not enough in many real-world situations. > There tends to be less patches, and those that come > along tend to be less overall system affecting. > Note that this is my opinion, not a cold hard fact. I've never been aware of any difference. > Yes, but most people do run applications on > their servers. True, it's not the fault of the OS > then ... So your point is moot. > ... in general the perceived stability of NT > is not as good as UNIX. It depends on whom you ask. UNIX is a very simple OS, and most applications for it are simple as well. Simplicity tends to ensure reliability and stability. This being so, UNIX systems tend to be extremely stable. Most people who criticize Windows stability have no experience with NT, however, and of those who do, many are running very unstable applications on their machines. Things like antivirus programs are a constant headache, for example, because they can seriously destabilize a system. > Fortunately it seems to fit yours. Most of the applications I need run on Windows, so I use Windows. NT makes both a good workstation and a good server, although it is probably not ideal for either purpose. > Just as UNIX was, or in some other respect? UNIX is much more like Multics than NT, but NT certainly was inspired with respect to ACLs, as were many other operating systems. > Just what security features are we talking about then? Mandatory and discretionary access controls, rings (a form of MAC), and the like. > I won't argue the ease of administration part, at > least for various values of 'administration'. NT administration is easier for the simple bulk of tasks as compared to UNIX, but perhaps harder for the more complex tasks. > But like I said above, I haven't heard of a site switching > to NT because of better security. It's unusual for sites to switch in either direction, since both operating systems can get the job done. > That's indeed impossible, because you're coming > from the wrong angle - if your UID != 0, you can't > do tasks that require UID == 0. Unfortunately, _all_ administrative tasks require UID == 0. > [1] We have actually considered having the helpdesk > install the software for the users, to avoid granting > them administrator privileges. I usually give users local administrator privileges, which is all they need to install anything. Of course, they do not receive any domain administration privileges. There usually isn't much reason to refuse them administrator access to their own machines. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message