Destroying "only" your home directory (was Re: Newbie question on permissions)
alan at linuxholdings.co.za
Sun Apr 2 20:00:08 UTC 2006
On Sunday 02 April 2006 05:07, Matthew R. Dempsky wrote:
> On Sat, Apr 01, 2006 at 06:40:00PM -0600, Michael V. De Palatis
> Sorry, maybe my point wasn't clear: I don't think privelege
> separation is a bad thing, just that simply separating root from
> users doesn't go anywhere near far enough, and that users aren't
> given enough access to further privelege separation.
The problem with that idea is that it's extremely hard to implement in
a concise, easy to use manner. *nix permissions were designed so that
multiple user could share resources without clobbering each other's
stuff - so you can do anything you like with files you own. Sure,
it's inconvenient sometimes, but consider the effects of the
> On the servers I administer, almost every service runs as its own
> dedicated user with the bare minimum necessary permissions.
> However, it's not practical to do similarly as a regular user on
> my laptop, for example, how do I run mplayer such that I can safely
> watch any movie I download online? There have been exploits in
> mplayer before, who's to say they won't happen again?
>  http://tigger.uic.edu/~jlongs2/holes/mplayer.txt
You could build a system that allows mplayer direct access to the
video hardware but not everything else. Two ways present themselves:
1. Increase the program's priviliedges. This is basically an expansion
of setuid/setgid with fine grained control.
2. Increase the priviledge of the user the program runs as. This is
the entire idea behind the Windows model.
What's the problem? Permission creep. If you can elevate an arbitrary
user's access to resources, then users will tend to elevate their
permissions to the maximum to "make things easier". Eventually
running as an admin will become the norm, which is no better than
routinely running as root.
The second problem is complexity. If you can select all manner of
stuff that users can do on an individual basis, it's only a matter of
time before someone builds an "enable all" function into permissions.
Same results as the first problem.
As evidence, how many sites have you seen where the full functionality
of sudo is used? It becomes a real pita to maintain with several
users, so the general tendency is that a user is either a full sudoer
or not. Not any different from 'su -' in effect, except you now know
which user ran a command as root.
Permissions as they are aren't perfect, but it's the best system found
so far. It's the simplest thing that could possible work and get the
job done, and it's still with us after 30 years. In some ways it
sucks, but all the alternatives suck much more.
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
More information about the ubuntu-users