Path: utzoo!utgpu!watmath!uunet!xanth!mcnc!rutgers!ucsd!sdcsvax!ucsdhub!cuuxun!jhunix!ins_anmy From: ins_anmy@jhunix.JHU.EDU (Norman Yarvin) Newsgroups: unix-pc.general Subject: Re: /etc/shutdown permissions Message-ID: <318@jhunix.JHU.EDU> Date: 5 Dec 88 23:08:10 GMT References: <234@safari.UUCP> <1349@umbc3.UMD.EDU> <426@amanue.UUCP> <4272@encore.UUCP> <435@amanue.UUCP> <295@jhunix.JHU.EDU> <440@amanue.UUCP> Reply-To: ins_anmy@jhunix.UUCP (Norman Yarvin) Distribution: unix-pc Organization: JHU Lines: 62 In article <440@amanue.UUCP> jr@amanue.UUCP (Jim Rosenberg) writes: > ... Just to take this one example, a proper approach >to password security includes the following layers: > >1. Proper people procedures. (Do not write down your password next to your >terminal, do not share your password with your co-workers, etc.) > >2. Well-chosen passwords. This is currently being beaten to death on the net >right now. > >3. Password encryption. > >4. o-r on the shadow password file. (/etc/passwd has all the fields that >tools like ls need; the password field is there but not used.) > >That's 4 layers. It's two layers. One layer is composed of #1, #2, and #3; the other is #1, #2, and #4. A "layer" means a complete line of defense. Note that #1 and #2 are common to both layers, so that in some areas only one level has to be broken to completely break through the defenses. Thus one might further classify the above system as two layers in some respects, one layer in others. A multi-layer system is only as strong as the strongest layer. The only exception is when, although both layers are incomplete, all holes in the first layer are completely patched by the second. If the second layer is easier to put in place than to fix the first, then this is reasonable; normally it is easier to fix the first level. Thus if it is judged easier and as effective to add a shadow password file (#4) than to educate users (fix #2), then adding a shadow password file is reasonable. Adding a shadow password file to bolster the encryption algorithm is not reasonable, as the encryption algorithm is still the strongest layer. > ... I think defense in depth is just plain common >sense. IBM-style common sense, maybe. > ... I will be most interested if you can site a literature reference >showing where the defense in depth concept just plain doesn't work. Adding another level of defense will never lessen the security of a system, except in two ways: either (1) people get lax, seeing as they now have a backup layer, and forget the importance of maintaining the existing layers, or (2) the backup layer introduces a bug into the existing layers. The issue here is the sacrifice of elegant, small, fast systems at the altar of security. Or does anyone except me care about that sort of thing any more? > ... But saying that the defense in depth concept makes no sense is >like saying if you keep your brakes in good repair having a quick reaction time >on the brake pedal isn't necessary. More like saying that if you keep your windshield clean, having an extra mirror on the side of the car to see forward is unnecessary. Norman Yarvin (seismo!umcp-cs | allegra!hopkins) !jhunix!ins_anmy "Unix is a hard nut to crack: once you get off the shell, there's nothing there but the kernel."