Subject: Re: Removing dm(1)
To: Curt Sampson <cjs@portal.ca>
From: Jason Thorpe <thorpej@nas.nasa.gov>
List: tech-security
Date: 11/18/1997 10:32:29
On Tue, 18 Nov 1997 10:13:24 -0800 (PST) 
 Curt Sampson <cjs@portal.ca> wrote:

 > I think I've addressed the argument that dm provides any significant
 > functionality.

No, I don't think you have.  In my opinion, removing functionality,
no matter how insignificant you consider it to be, that has _always_
worked, for relatively little gain, is just bogus.

 > As for removing dm, what it does mean is that you need to audit
 > only the games that keep high score files, rather than all of them.
 > For example, the hole in fish(6) that allows you access to the
 > account of any user that runs a game exists only because fish is
 > run by dm.

Care to explain this in real detail?  How does the fact that a program
runs setuid "games" (which gives it permission to write high scores
files, among other things) allow me to access the account of any user
that runs a game?

The fact that a user has an euid of "games" gives them nothing more
than the ability to run the games otherwise controlled by dm, and
write high scores files.  Worrying about whether or not a user has
critical files writable by "games" is like worrying whether or not
that user has critical files writable by "nobody", in my mind.

If I have missed some important details, please enlighten me.  But
I'm not interested in rhetoric.

Jason R. Thorpe                                       thorpej@nas.nasa.gov
NASA Ames Research Center                            Home: +1 408 866 1912
NAS: M/S 258-6                                       Work: +1 650 604 0935
Moffett Field, CA 94035                             Pager: +1 415 428 6939