[Security_sig] DCL protection assumptions

Ed Reed ereed at novell.com
Thu Oct 7 13:26:32 PDT 2004

>>>Kees Cook <kees at osdl.org> 10/07/04 12:45 pm >>> 

3) Authorized admins are implicitly trusted. 

<eer> I take this to read that authorized admins are implicitly trusted
for all aspects of system and application administration.

If not, then there is a need to be able to separate administrative
duties, and to limit the implicit trust in authorized admins to those
areas of administration they're explicitly authorized.

I'd prefer the later to be the requirement, as I think it raises the bar
on what people expect to be reasonable and necessary for data center
operations management.

Consider - is the authorized administrator who's job it is to backup the
machine also authorized to install new versions of an OS, to bounce
databases or web application servers, or rearrange and reformat disk

In other words - is there only need for "root", or 0-uid accounts (with
individual names and passwords, if you wish).  

Oh, and I'm sorry I missed the call this am - I was scheduled into a
presentation I couldn't get out of...


More information about the security_sig mailing list