Great Circle Associates Firewalls
(November 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Tightening up SunOS 5.4 (was Re: Hardened OS)
From: Rick Smith <smith @ sctc . com>
Date: Fri, 3 Nov 1995 14:07:08 -0600 (CST)
To: mjc @ quark . foobar . co . uk (Martin Cooper)
Cc: smith @ sctc . com, firewalls @ greatcircle . com
In-reply-to: <199511031740 . RAA23766 @ quark . foobar . co . uk> from "Martin Cooper" at Nov 3, 95 05:40:23 pm 
> I'm happy that root is just a name for uid 0, but what about
> processes that need to be started at boot time? Will it be
> possible to run these at boot time without an entry for root in
> the password file, and without the setuid bits on executable
> binaries?

Actually, the term "root" is getting overloaded in this discussion.
It has two fundamental properties of interest here: 1) it has uid 0
which is really necessary in most Unix systems, and 2) it can override
lots of access protections on the system. We left in 1) and
constrained 2) using our type enforcement mechanism. Some standard
Unix systems try to get a similar effect with chroot, with varying
degrees of success.

Rick.

> If it is, then this seems like a fine security measure for a
> bastion host.

I think the industry has proven there's a huge market for host systems
with limited security. So we at least need to make strong firewalls.

Rick.
smith @
 sctc .
 com         secure computing corporation
Follow-Ups:
References:
Indexed By Date Previous: Success and thanks...re: OPIE on FWTK
From: gary flynn <gary @ habanero . jmu . edu>
Next: Re: An *UN* UNIX Firewall
From: Lachlan Bickley <lbickley @ blackgold . ab . ca>
Indexed By Thread Previous: Re: Tightening up SunOS 5.4 (was Re: Hardened OS)
From: "Martin Cooper" <mjc @ quark . foobar . co . uk>
Next: Re: Tightening up SunOS 5.4 (was Re: Hardened OS)
From: Michel Lavondes <lavondes @ tidtest . total . fr>
Google
 
Search Internet Search www.greatcircle.com