[Security_sig] DCL protection assumptions

Chris Wright chrisw at osdl.org
Thu Oct 7 14:30:34 PDT 2004

* slav at vogon.net (slav at vogon.net) wrote:
> >
> > 3) Authorized admins are implicitly trusted.
> >
> > <eer> I take this to read that authorized admins are implicitly trusted
> > for all aspects of system and application administration.
> >
> > If not, then there is a need to be able to separate administrative
> > duties, and to limit the implicit trust in authorized admins to those
> > areas of administration they're explicitly authorized.
> >
> > I'd prefer the later to be the requirement, as I think it raises the bar
> > on what people expect to be reasonable and necessary for data center
> > operations management.
> >
> > Consider - is the authorized administrator who's job it is to backup the
> > machine also authorized to install new versions of an OS, to bounce
> > databases or web application servers, or rearrange and reformat disk
> > storage?
> >
> > In other words - is there only need for "root", or 0-uid accounts (with
> > individual names and passwords, if you wish).

This is a fair distinction that we've discussed before.  I think the
assumption implicitly says (sorry for overuse of implicit ;-) there's
only one flavor of admin.  So we should reword appropriately.

> > Oh, and I'm sorry I missed the call this am - I was scheduled into a
> > presentation I couldn't get out of...
> >
> > </eer>
> I second that.  We've determined that we needed layered access for our
> data center admins, SeOS is currently helping to parcel out root-like
> priviledges.  The intent is to give each admin just enough priviledges to
> do their job.

SeOS?  How are they privs parcelled out?  What are examples of the
differing layers?  Agreed, least privileges is preferred method for

Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

More information about the security_sig mailing list