On Sun, Apr 16, 2000 at 03:57:01PM -0400, allbery@kf8nh.apk.net wrote:
> On 16 Apr, Austin Schutz wrote:
> +-----
> | I think the whole concept is lacking. If I have EUID 0 I can do
> |
> | # echo "+ +" >/root/.rhosts
> |
> | ..And now anyone can log in as root with LUID 0. So.. what was gained?
> +--->8
>
> What was gained was that the filesystem auditing code will have logged
> the fact that you (as identified by your LUID, which will still
> indicate *you*) made that modification. That's the whole point of
> LUIDs: to provide a reliable user identity for auditing changes to the
> system.
>
> Once again, LUIDs are not used for authentication or access control.
> They are used for *secure auditing*.
I'm extremely skeptical that anything, auditing included, could
be made secure in the case of a compromise, which AFAICT is what you are
trying to accomplish. What do you do when your auditing tools are rootkitted?
Once you've dealt with that, what have you gained? You only find out
when someone does something that is of auditable importance. Imagine the
case where I compromise an (for example) telnetd. Rather than have it spawn a
shell I merely have it dump the contents of /etc/shadow to me. Since telnetd
(or login) gets to read that file anyway you have no way of telling anything
unusual has happened, even if you are logging.
If despite all this it helps Linux gain some needed certification
I think that's great. But I still think it's a flawed concept.
Austin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:10 EST