Path: utzoo!utgpu!water!watmath!clyde!ima!think!barmar
From: barmar@think.COM (Barry Margolin)
Newsgroups: comp.misc
Subject: Re: Trojan Horse a Myth?
Message-ID: <13436@think.UUCP>
Date: 10 Dec 87 22:28:54 GMT
References: <459@gtx.com> <30800002@ccvaxa>
Sender: usenet@think.UUCP
Reply-To: barmar@sauron.think.com.UUCP (Barry Margolin)
Organization: Thinking Machines Corporation, Cambridge, MA
Lines: 27

In article <30800002@ccvaxa> aglew@ccvaxa.UUCP writes:
>    What is needed is a security predicate that prevents root from executing
>non-secure code *wherever* it might be found. This might involve, on every
>invocation, checking that the path to the / is non-writable, and so on.
>If you have such predicates, then relative pathnames like . and ./bin
>are as secure as any other.

There is research in this area.  A (too-)simple solution would be to
specify that root can only run things that are owned by root.  This
has the problem that root won't be able to run anything that is setuid
to someone else; for example, I think uucp is setuid uucp.

The general solution to this problem involves tagging executable files
with an integrity level, and tagging processes with a trust level.  A
file is given an integrity level corresponding to the trust level of
the process that last wrote it, and a process won't run a file whose
integrity level is lower than his trust level.  Root would normally
run with a high trust level, and wouldn't be able to execute files
written by ordinary users.


---
Barry Margolin
Thinking Machines Corp.

barmar@think.com
seismo!think!barmar