Front page | perl.perl5.porters |
Postings from December 1999
Re: getspnam-support
Thread Previous
|
Thread Next
From:
John Macdonald
Date:
December 5, 1999 20:25
Subject:
Re: getspnam-support
Message ID:
199912060410.XAA21152@elegant.com
Tom Phoenix <rootbeer@redcat.com> writes:
|| On Sat, 4 Dec 1999, John Macdonald wrote:
||
|| > Providing the password to all root programs means that any program
|| > that *might* be run by root
||
|| Come on. Any program *might* be run by root.
||
|| If the superuser runs programs which shouldn't be run by the superuser,
|| the game is over.
"which shouldn't be run by the superuser" is exactly my point.
A program that nevers loads any security critical information
into its memory is much easier to prove safe for superuser use.
When such a program is given security-critical information that
it doesn't need, it is much harder to prove that it is still
safe for use by root.
Having getpw* return getspw* info for root puts the onus for
security on *all* programs that use getpw*. Having separate
calls makes innocuous programs that aren't intending to use
the password automatically safer. Programs that are being
written for security purposes would need to add that extra
's' to call getspw*, a trivial requirement compared to the
rest of their "design for security" issues.
The BSD design is fail-unsafe instead of fail-safe, making it
easier to write a program that accidentally causes an
insecurity when used in a manner that the writer didn't
expect.
--
John Macdonald jmm@jmm.pickering.elegant.com
Thread Previous
|
Thread Next