Path: utzoo!utgpu!water!watmath!clyde!ima!think!barmar From: barmar@think.COM (Barry Margolin) Newsgroups: comp.misc Subject: Re: Trojan Horse a Myth? Message-ID: <13436@think.UUCP> Date: 10 Dec 87 22:28:54 GMT References: <459@gtx.com> <30800002@ccvaxa> Sender: usenet@think.UUCP Reply-To: barmar@sauron.think.com.UUCP (Barry Margolin) Organization: Thinking Machines Corporation, Cambridge, MA Lines: 27 In article <30800002@ccvaxa> aglew@ccvaxa.UUCP writes: > What is needed is a security predicate that prevents root from executing >non-secure code *wherever* it might be found. This might involve, on every >invocation, checking that the path to the / is non-writable, and so on. >If you have such predicates, then relative pathnames like . and ./bin >are as secure as any other. There is research in this area. A (too-)simple solution would be to specify that root can only run things that are owned by root. This has the problem that root won't be able to run anything that is setuid to someone else; for example, I think uucp is setuid uucp. The general solution to this problem involves tagging executable files with an integrity level, and tagging processes with a trust level. A file is given an integrity level corresponding to the trust level of the process that last wrote it, and a process won't run a file whose integrity level is lower than his trust level. Root would normally run with a high trust level, and wouldn't be able to execute files written by ordinary users. --- Barry Margolin Thinking Machines Corp. barmar@think.com seismo!think!barmar