Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!decvax!harpo!seismo!rochester!ritcv!mjl From: mjl@ritcv.UUCP (Mike Lutz) Newsgroups: net.unix-wizards Subject: Inaccessible password files Message-ID: <449@ritcv.UUCP> Date: Sat, 16-Jul-83 16:03:02 EDT Article-I.D.: ritcv.449 Posted: Sat Jul 16 16:03:02 1983 Date-Received: Sun, 17-Jul-83 01:22:03 EDT References: unc.5531 Lines: 16 One problem with unreadable (or otherwise inaccessible) password files is the implicit assumption that only privileged processes need to use the information. We have some database inquiry programs that run set-gid or set-uid, and which demand the invoker type his/her password again. While not perfect, the technique does stave off attempts to use an active terminal to gain access to unauthorized information. We use this primarily in cases where the command is the interface to some moderately private information that only the "real" person should see. Of course, all such programs could run as set-uid root and access the protected password file. We prefer our approach, as it attempts to abide by the "principle of least privilege". Also, the hidden password file technique can lead to a false sense of security (read the UNIX security paper from V6). Mike Lutz {allegra,seismo}!rochester!ritcv!mjl