Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!decvax!harpo!seismo!rochester!ritcv!mjl
From: mjl@ritcv.UUCP (Mike Lutz)
Newsgroups: net.unix-wizards
Subject: Inaccessible password files
Message-ID: <449@ritcv.UUCP>
Date: Sat, 16-Jul-83 16:03:02 EDT
Article-I.D.: ritcv.449
Posted: Sat Jul 16 16:03:02 1983
Date-Received: Sun, 17-Jul-83 01:22:03 EDT
References: unc.5531
Lines: 16

One problem with unreadable (or otherwise inaccessible) password files is
the implicit assumption that only privileged processes need to use the
information.  We have some database inquiry programs that run set-gid
or set-uid, and which demand the invoker type his/her password again.
While not perfect, the technique does stave off attempts to use an
active terminal to gain access to unauthorized information.  We use
this primarily in cases where the command is the interface to some
moderately private information that only the "real" person should see.

Of course, all such programs could run as set-uid root and access the
protected password file.  We prefer our approach, as it attempts to
abide by the "principle of least privilege".  Also, the hidden password
file technique can lead to a false sense of security (read the UNIX
security paper from V6).

Mike Lutz {allegra,seismo}!rochester!ritcv!mjl