Re: Root is God? (was: Mutt tmp files)
* Mathias Gygax [EMAIL PROTECTED] [2001.11.18 17:58:46+0100]: excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! before you shout, think twice. this is READ-only on my system. you don't really understand it, right? i think i do. i wasn't talking about your system, but more about the general gist of the email thread. i'll answer your lamer detector email in just a sec, so look there for more details. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck there is more stupidity than hydrogen in the universe, and it has a longer shelf life. -- frank zappa msg04356/pgp0.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
* Mathias Gygax [EMAIL PROTECTED] [2001.11.18 17:58:46+0100]: excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! before you shout, think twice. this is READ-only on my system. you don't really understand it, right? i think i do. i wasn't talking about your system, but more about the general gist of the email thread. i'll answer your lamer detector email in just a sec, so look there for more details. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] there is more stupidity than hydrogen in the universe, and it has a longer shelf life. -- frank zappa pgppi3UgpdJpN.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
* Mathias Gygax [EMAIL PROTECTED] [2001.11.18 17:59:29+0100]: thanks, you just made me laugh! you set lamer detector to orange. alright, so my first step is to scale back and *not* flame. i am sorry for posting my sarcastic comment. i shall now try to sum up my points. we have been talking about creating a system, in which even root can't do everything. in doing so, we stumbled upon a problem of definition, because root can either define to the line in /etc/{passwd,shadow} -- the user with UID 0, or it can define to the more abstract concept of system administrator or root of a system. let me put it this way: historically, root is the center of a unix system, well, the root. root is the only account that comes pre-installed, root's password is defined during installation. again, historically, there is *nothing* that root cannot do. there exist a collection of kernel patches and other goodies, which take some of that responsibility away from root. now, it doesn't matter what the definition is, someone installs these and that someone can very well change them again. whether that someone is root him/herself, or the owner of the system, who wants to make lilfe easier for the chap that was appointed root, there is *still* someone in total control over the system. in such a case, root merely slides down one level in the hierarchy, but the point is, you cannot lose control over your own computer system. therefore, any argument against root is god is futile and useless. it *does* boil down to if you don't trust the person owning the server, don't use that machine, and i would be *very* interested to hear actual arguments against that. now, i realize that i've been saying things that have been said over and over in this thread, but maybe mathias is right, maybe i am just a lamer and a dork, and shouldn't be using computers anyway. i will happily consider to give up this job of mine and go into the monastery as soon as someone gives me one scenario in which i am using a computer that i do not own (as was the setup at the beginning of the thread), which i can use in a secure manner *without* the owner (or root) of that machine ever possibly able to spy on me. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] as i was going up the stair i met a man who wasn't there. he wasn't there again today. i wish, i wish he'd stay away. --hughes mearns pgpwjLg1Xz8SZ.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
* Mathias Gygax [EMAIL PROTECTED] [2001.11.16 15:06:54+0100]: well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. ... which root can change at convenience. this thread is becoming boring! my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck it's as bad as you think, and they are out to get you. msg04259/pgp0.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
* Mathias Gygax [EMAIL PROTECTED] [2001.11.16 14:36:30+0100]: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. ^^ can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch. ^^ thanks, you just made me laugh! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck windoze nt crashed. i am the blue screen of death. no one hears your screams. msg04260/pgp0.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
On Son, Nov 18, 2001 at 05:08:14 +0100, martin f krafft wrote: excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! before you shout, think twice. this is READ-only on my system. you don't really understand it, right? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
* Mathias Gygax [EMAIL PROTECTED] [2001.11.16 15:06:54+0100]: well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. ... which root can change at convenience. this thread is becoming boring! my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] it's as bad as you think, and they are out to get you. pgpWf2waEfI5v.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
* Mathias Gygax [EMAIL PROTECTED] [2001.11.16 14:36:30+0100]: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. ^^ can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch. ^^ thanks, you just made me laugh! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] windoze nt crashed. i am the blue screen of death. no one hears your screams. pgppnvW3wHyuU.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
On Son, Nov 18, 2001 at 05:08:14 +0100, martin f krafft wrote: excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! before you shout, think twice. this is READ-only on my system. you don't really understand it, right?
Re: Root is God? (was: Mutt tmp files)
On Son, Nov 18, 2001 at 05:06:21 +0100, martin f krafft wrote: thanks, you just made me laugh! you set lamer detector to orange.
Re: Root is God? (was: Mutt tmp files)
-BEGIN PGP SIGNED MESSAGE- On Friday 16 November 2001 11:39, Mathias Gygax wrote: There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. Did you follow this thread from the beginning? The original question asked how one could secure their email from reading by root. It's clear in this case that root is a synonym for SysAdmin. And the bottom line is that you can't . SA may log in as root, as guest, as santaclaus - it really doesn't matter what the user name and uid is. What matters is that someone has full access to the system. Someone has the ability to install keystroke sniffers and other cute little toys. If they're willing to go to the extent of trying to recover a deleted file, they're likely willing to go to the extend of modifying executables, etc. root may not be God on your system, but that's not the same as saying your system is atheistic. There IS a God; he just answers to a different name. And you can't hide from God. -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQB1AwUBO/hbvTA1uBpee9v5AQH8NAMApKYIwBJCJiJuzn4f5Egbf7xmlDvUdJnT g3hPyfdzVD5pm3n1AgVlyAUPszgO6pGGQODBCKojyvky6jKyYeaE/yt0nVtDTAOG 0EleeqGDD/jKtjUNtDaaOX3VNuCPpxjr =QCue -END PGP SIGNATURE-
Re: Root is God? (was: Mutt tmp files)
On Thu, Nov 15, 2001 at 11:46:31PM +0100, Mark Weinem wrote: On Thu, 15 Nov 2001, Craig Dickson wrote: Root is God. Anything you do on the system is potentially visible to root. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. -- Ethan Benson http://www.alaska.net/~erbenson/ msg04231/pgp0.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. this is a kernel patch to seperate root from the kernel (a new level of security) by having capability and mandatory access control list support in your kernel. you can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
Hi, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. well, i thought this is the definition of root. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. i wanted to post something about lids, but then i thought, it doesn't make sense in this case. lids removes rights from the user root and the programms, which are started by root (or init at startup). now we have the case, that someone does not trust the root user. i think with root-user the author means the man or woman, who has installed the server or is administrating it. if this user is installing lids, he can disable lids or configure it so, that he can read the mails... when there are several systemadministrators, does is really make sense to install lids to have the possibility to give other (untrusted) users the root-pw? i don't think so. bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 02:58:48PM +0100, Ralf Dreibrodt wrote: Hi, hi there, Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. i wanted to post something about lids, but then i thought, it doesn't make sense in this case. i think it does make sense. now we have the case, that someone does not trust the root user. this is the case with a LIDS setup. when there are several systemadministrators, does is really make sense to install lids to have the possibility to give other (untrusted) users the root-pw? with a carefully implemented LIDS, this is possible. my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. LIDS basically does protect the kernel from root. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
Hi, Mathias Gygax wrote: i wanted to post something about lids, but then i thought, it doesn't make sense in this case. i think it does make sense. as far as i have read the problem is, that the (wo)man, who has a root-account is able to read mails. what is the advantage of installing lids compared with removing the root-account from this (wo)man? but... root in this setup is useless. you can't do anything that looks like administration. so, if you can't remove the root right from this person generally, you can't install lids. well, i think lids is only very useful to seperate daemons (e.g. when sendmail is exploited, the attacker can't modify zone-files from named or open the named port, even if sendmail runs as root) and to detect such exploits. bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 02:36:30PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. this is a kernel patch to seperate root from the kernel (a new level of security) by having capability and mandatory access control list support in your kernel. you can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch. which root is free to turn off since he knows the password. -- Ethan Benson http://www.alaska.net/~erbenson/ msg04236/pgp0.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
On Fri, 16 Nov 2001, Mathias Gygax wrote: well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. LIDS basically does protect the kernel from root. Nothing can protect the kernel from root if root can replace the kernel. Sure you may have /boot mounted read-only, but that is a simple remount, or boot into single user mode, or put the kernel somewhere else, or physically put in a different harddrive. There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. You cannot completely lock out root, for if you do, it is no longer root. Can root physically access the machine? If not, then there is someone else who would be root. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you can't shutdown or reboot the host, whithout proper auth. Nothing can protect the kernel from root if root can replace the kernel. you can't do this in LIDS in a properly setup of LIDS. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. or boot into single user mode, how? you can't change runlevels. once sealed, it will remain until next reboot, when it get's sealed in single user mode. or put the kernel somewhere else, where? in a protected filesystem? in /tmp? how do you tell the loader to access this file? it's all blocked. or physically put in a different harddrive. $ when i'm sitting in honolulu and having a drink? when there's no physical security, there's no security at all. use crypo filesystems to secure storage. There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You cannot completely lock out root, no, you can't. but you can protect your system from root. for if you do, it is no longer root. of course it's root. who else should it be? but he can't no longer access all the interfaces with full rights. a properly configured LIDS is secure from root abuse. Can root physically access the machine? If not, then there is someone else who would be root. i don't care. i can seal LIDS that you can only administrate your machine from the console. it doesn't work any longer over remote links. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password. this is a new way of thinking. root is there for serving purposes. with LIDS, you're sealing the kernel to not accept potentially malicious input from root. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
Hi, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you have just another definition of root. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. as long as you booted the normal way. use crypo filesystems to secure storage. btw: is there anything similar to the international kernel patch for linux 2.4.x? of course it's root. who else should it be? you can simply change the user id of the user root instead, that's easier ;-) bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 05:48:11PM +0100, Ralf Dreibrodt wrote: you have just another definition of root. no. we don't have any user concept there. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. root does also have access to a remote link. so does the attacker. the linux system doesn't have any mean of whom exactly is changing the cdrom. there's an abstraction layer to identify you with, typically, a password in the system. this stuff is stored on easy-to-modificate media. you must have a proection in the kernel in a secure environment and even then it's not secure. as long as you booted the normal way. of course. but, how dou you wanna change it? btw: is there anything similar to the international kernel patch for linux 2.4.x? dunno. openwall and stealth patch also don't work on 2.4.x... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fri, 16 Nov 2001, Ralf Dreibrodt wrote: Hi, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you have just another definition of root. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. Actually, in order for some of the C patches to be meaningful (root not having access to everything), you gotta follow some of the Rainbow book practices like removal of alternate boot devices and RTVing up nonused plugs. Trust me, the NSA thought of every objection you can come up with many years before you thought of them, and covered most of them in the Rainbow book. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. as long as you booted the normal way. use crypo filesystems to secure storage. btw: is there anything similar to the international kernel patch for linux 2.4.x? of course it's root. who else should it be? you can simply change the user id of the user root instead, that's easier ;-) bye Ralf -- void hamlet() {#define question=((bb)||(!bb))} Who is John Galt? [EMAIL PROTECTED] that's who! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
This thread is getting old. If you don't want root to read your email, use an editor that can be set to not store temp files, use ASCII armor, and encrypt everything before you send it. Root could still access memory while you are composing the messages, so maybe you should compose them on another system (like your own, for instance). Of course, you could use that same system on which you have root to send the files. The easiest solution, then, is, if you want privacy, don't do things in plaintext on a box someone else admins. Cake. Find yourself a computer for $300 and save money from your paper-route to buy it or something. The other solution is a little harder. Linux wasn't ever meant to be a capability based system in which the users have rights to privacy. The users simply have to trust root to respect their privacy (and, as this discussion has pointed out so pedantically, there are things the users can try to do to maximize their privacy, if they so choose). The real solution is to write a capability-based OS (or throw in your lot with Eros) and set it up with users' privacy from root in mind. People will say Well, that's what LIDS does for Linux., but since Linux wasn't architected with this in mind, I suspect there will always be holes that root can find to get past this. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 02:36:30PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. And who has to apply those patches... -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 05:39:43PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You're thinking of root as uid 0, while the other people are thinking of root as The person who controls the machine. The person who administers the machine *OWNS THE MACHINE*. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
first in this discussion root == maintianer of the box you are suggesting the maintainer of the box has no pysical access and no privileges to maintain the box. this makes no sense. On Fri, Nov 16, 2001 at 05:39:43PM +0100, Mathias Gygax wrote: i don't care. i can seal LIDS that you can only administrate your machine from the console. it doesn't work any longer over remote links. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password. this is a new way of thinking. root is there for serving purposes. with LIDS, you're sealing the kernel to not accept potentially malicious input from root. or the legit maintainer, no remote admin capabilities.. doesn't sound new sounds like NT. -- Ethan Benson http://www.alaska.net/~erbenson/ msg04251/pgp0.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
On Thu, Nov 15, 2001 at 11:46:31PM +0100, Mark Weinem wrote: On Thu, 15 Nov 2001, Craig Dickson wrote: Root is God. Anything you do on the system is potentially visible to root. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpw93WLrRTEZ.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. this is a kernel patch to seperate root from the kernel (a new level of security) by having capability and mandatory access control list support in your kernel. you can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch.
Re: Root is God? (was: Mutt tmp files)
Hi, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. well, i thought this is the definition of root. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. i wanted to post something about lids, but then i thought, it doesn't make sense in this case. lids removes rights from the user root and the programms, which are started by root (or init at startup). now we have the case, that someone does not trust the root user. i think with root-user the author means the man or woman, who has installed the server or is administrating it. if this user is installing lids, he can disable lids or configure it so, that he can read the mails... when there are several systemadministrators, does is really make sense to install lids to have the possibility to give other (untrusted) users the root-pw? i don't think so. bye Ralf
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 02:58:48PM +0100, Ralf Dreibrodt wrote: Hi, hi there, Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. i wanted to post something about lids, but then i thought, it doesn't make sense in this case. i think it does make sense. now we have the case, that someone does not trust the root user. this is the case with a LIDS setup. when there are several systemadministrators, does is really make sense to install lids to have the possibility to give other (untrusted) users the root-pw? with a carefully implemented LIDS, this is possible. my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. LIDS basically does protect the kernel from root.
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 02:36:30PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. this is a kernel patch to seperate root from the kernel (a new level of security) by having capability and mandatory access control list support in your kernel. you can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch. which root is free to turn off since he knows the password. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpyYBfn3IY9b.pgp Description: PGP signature
Re: Root is God? (was: Mutt tmp files)
On Fri, 16 Nov 2001, Mathias Gygax wrote: well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. LIDS basically does protect the kernel from root. Nothing can protect the kernel from root if root can replace the kernel. Sure you may have /boot mounted read-only, but that is a simple remount, or boot into single user mode, or put the kernel somewhere else, or physically put in a different harddrive. There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. You cannot completely lock out root, for if you do, it is no longer root. Can root physically access the machine? If not, then there is someone else who would be root. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password.
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you can't shutdown or reboot the host, whithout proper auth. Nothing can protect the kernel from root if root can replace the kernel. you can't do this in LIDS in a properly setup of LIDS. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. or boot into single user mode, how? you can't change runlevels. once sealed, it will remain until next reboot, when it get's sealed in single user mode. or put the kernel somewhere else, where? in a protected filesystem? in /tmp? how do you tell the loader to access this file? it's all blocked. or physically put in a different harddrive. $ when i'm sitting in honolulu and having a drink? when there's no physical security, there's no security at all. use crypo filesystems to secure storage. There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You cannot completely lock out root, no, you can't. but you can protect your system from root. for if you do, it is no longer root. of course it's root. who else should it be? but he can't no longer access all the interfaces with full rights. a properly configured LIDS is secure from root abuse. Can root physically access the machine? If not, then there is someone else who would be root. i don't care. i can seal LIDS that you can only administrate your machine from the console. it doesn't work any longer over remote links. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password. this is a new way of thinking. root is there for serving purposes. with LIDS, you're sealing the kernel to not accept potentially malicious input from root.
Re: Root is God? (was: Mutt tmp files)
Hi, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you have just another definition of root. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. as long as you booted the normal way. use crypo filesystems to secure storage. btw: is there anything similar to the international kernel patch for linux 2.4.x? of course it's root. who else should it be? you can simply change the user id of the user root instead, that's easier ;-) bye Ralf
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 05:48:11PM +0100, Ralf Dreibrodt wrote: you have just another definition of root. no. we don't have any user concept there. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. root does also have access to a remote link. so does the attacker. the linux system doesn't have any mean of whom exactly is changing the cdrom. there's an abstraction layer to identify you with, typically, a password in the system. this stuff is stored on easy-to-modificate media. you must have a proection in the kernel in a secure environment and even then it's not secure. as long as you booted the normal way. of course. but, how dou you wanna change it? btw: is there anything similar to the international kernel patch for linux 2.4.x? dunno. openwall and stealth patch also don't work on 2.4.x...
Re: Root is God? (was: Mutt tmp files)
On Fri, 16 Nov 2001, Ralf Dreibrodt wrote: Hi, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you have just another definition of root. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. Actually, in order for some of the C patches to be meaningful (root not having access to everything), you gotta follow some of the Rainbow book practices like removal of alternate boot devices and RTVing up nonused plugs. Trust me, the NSA thought of every objection you can come up with many years before you thought of them, and covered most of them in the Rainbow book. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. as long as you booted the normal way. use crypo filesystems to secure storage. btw: is there anything similar to the international kernel patch for linux 2.4.x? of course it's root. who else should it be? you can simply change the user id of the user root instead, that's easier ;-) bye Ralf -- void hamlet() {#define question=((bb)||(!bb))} Who is John Galt? [EMAIL PROTECTED] that's who!
Re: Root is God? (was: Mutt tmp files)
This thread is getting old. If you don't want root to read your email, use an editor that can be set to not store temp files, use ASCII armor, and encrypt everything before you send it. Root could still access memory while you are composing the messages, so maybe you should compose them on another system (like your own, for instance). Of course, you could use that same system on which you have root to send the files. The easiest solution, then, is, if you want privacy, don't do things in plaintext on a box someone else admins. Cake. Find yourself a computer for $300 and save money from your paper-route to buy it or something. The other solution is a little harder. Linux wasn't ever meant to be a capability based system in which the users have rights to privacy. The users simply have to trust root to respect their privacy (and, as this discussion has pointed out so pedantically, there are things the users can try to do to maximize their privacy, if they so choose). The real solution is to write a capability-based OS (or throw in your lot with Eros) and set it up with users' privacy from root in mind. People will say Well, that's what LIDS does for Linux., but since Linux wasn't architected with this in mind, I suspect there will always be holes that root can find to get past this.
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 02:36:30PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. And who has to apply those patches... -- Share and Enjoy.
Re: Root is God? (was: Mutt tmp files)
On Fri, Nov 16, 2001 at 05:39:43PM +0100, Mathias Gygax wrote: On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You're thinking of root as uid 0, while the other people are thinking of root as The person who controls the machine. The person who administers the machine *OWNS THE MACHINE*. -- Share and Enjoy.
Re: Re: Root is God? (was: Mutt tmp files)
Very simple solution: dont say anything bad about root in email. -- Wot? No Coffee? MadProf
Re: Root is God? (was: Mutt tmp files)
first in this discussion root == maintianer of the box you are suggesting the maintainer of the box has no pysical access and no privileges to maintain the box. this makes no sense. On Fri, Nov 16, 2001 at 05:39:43PM +0100, Mathias Gygax wrote: i don't care. i can seal LIDS that you can only administrate your machine from the console. it doesn't work any longer over remote links. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password. this is a new way of thinking. root is there for serving purposes. with LIDS, you're sealing the kernel to not accept potentially malicious input from root. or the legit maintainer, no remote admin capabilities.. doesn't sound new sounds like NT. -- Ethan Benson http://www.alaska.net/~erbenson/ pgp5cSV8jvJW9.pgp Description: PGP signature