[Security_sig] Some notes from the CGL security discussion
Ge.Weijers at Sun.COM
Wed Aug 4 16:59:20 PDT 2004
Here's what I picked up from the DCL security assumption discussion of
1) We will limit ourselves to application and database servers for now.
The edge is a more complicated issue.
2) In current practice administrators have full access to the system
(classical root access). How much we want to buck that trend remains to
3) The following features are needed:
- Privilege Separation, the splitting up of all-or-nothing root
privileges into individual privileges that can be assigned separately.
This helps privilege minimization.
- Roles, which allow the (temporary) assignment of privileges to users.
- Installation and especially configuration of software without
requiring root privileges
- Immediate revocation of privileges
4) Developers have shell access to systems, and therefor shell access is
much more of an issue than for CGL. DCL needs some resistance against
mistakes. We do not assume though that users are malicious or very
5) A question for the troops: do clustered systems require anything
special security-wise (e.g. a separate network for cluster messages).
6) the security of the application/database server environments are
mostly determined by their environment. Good administration practice of
disabling unneeded services and using SSH in stead of Telnet are still
These assumptions make the analysis fairly simple, along the lines of
the COTS protection profile. Individual DCL systems (edge excluded) are
not required to be very resistant to determined attack. I'd like to
verify that that's true before I start work on this in earnest.
Gé Weijers mailto:ge.weijers at sun.com
Installation and Linux Group Tel: (877)240-7611 x69536
Sun Microsystems, Inc. Fax: (877)240-7611
=== Expressed opinions are my own, I do not speak for Sun ===
More information about the security_sig