On Fri, 12 Jan 2007 23:41:02 +0100
Geert Hendrickx <ghen@telenet.be> wrote:


> 
> So, you guys have no local users on your systems ... ?

I have very few, though that's mostly circumstance.  I have fairly
extensive comp center experience, though; I do understand the situation.

But no, I don't really trust most operating systems.  It's why I'm
building a new Xen-based server, so I can put the stuff I care about on
a separate VM than the one I use for my external users.  In fact, I
offered one subset of that group their own VM, if they felt the need
for more security.
> 
> Isn't that exactly why many daemons (mail, web, dns, ...) run as
> non-root; if they get cracked, the entire system is not compromised?
> The concept of unprivileged users is the corner stone of the UNIX
> security model.
> 
That's the theory -- the question is whether or not it's sufficient.

Looking at my laptop, I have at least 63 setuid or setgid programs.
34 of them are setuid root.  Are every one of those programs security
error-free?  I have grave doubts.  Some of them very clearly should
not run as root, in my opinion.  (In the base system, the ones I find
most problematic are rcmd, lock, rlogin, skeyinfo/skeyinit,
ssh-keysign, utmp_update, authpf, pppd/sliplogin, timedc, and
mrinfo/mtrace/traceroute/traceroute6/ping/ping6.  Yes, I know why each
of them setuid root.  Sometimes, the privilege is a consequence of the
historical shortcomings of the Unix protection system; other times, I
think it's just evidence of poor design.)



		--Steve Bellovin, http://www.cs.columbia.edu/~smb