On 4 Jul 2002, Dave Aitel wrote: > Realistically, every OS has always had a local exploit for its entire > history. Same about remote exploits... This does not change the fact that you have a chance to be lucky if you maintain your local security (i.e. don't have 50+ suids from default distribution, properly configure temporary storage and permissions, keep setuid software up-to-date, etc). Of course, it takes much more experience and knowledge, and most vendors are doing their best not to make your life simplier, but it isn't impossible. Better privilege control would be better, at least in theory. In practice, of course, I would expect many vendors to ship things with maximum privileges set just to save some time - just as we have some root daemons and setuid root applications shipping with no good reason, a separate account and setgid would do. > Why not just run every process as root and get rid of all the other > pesky conventions? Including mail clients or web browsers, and other software that really has to bind low ports, write to /etc and do other things like that?;> > The more you get into ACLs, the more you move to an NT-style "everything > is complicated" permissions system. This increases complexity and > demonstrably decreases overall security (how many services don't run as > SYSTEM these days? Any?). Static ACLs are generally as flawed as uid 0 access control, because such solutions force programmers to use very careful and highly modular design - which is pretty much like telling them to code in safer programming languages. Otherwise, any reasonably big monolithic application has to access so many things it is not that different from giving it root privileges. But it is not impossible to design a good ACL (perhaps dynamic) system. And there are some automated ACL systems that can actually profile the application and automate the process, with only minor tweaking necessary. Of course, once again, vendors would most likely do their best to render this mechanism almost useless. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 13:42:03 PDT