Handling disk full & No Kernel resources
Klaus Weidner
klaus at atsec.com
Thu Jan 6 22:41:02 UTC 2005
On Thu, Jan 06, 2005 at 08:14:47AM -0800, Casey Schaufler wrote:
> --- Klaus Weidner <klaus at atsec.com> wrote:
> > Note that running as a non-root UID doesn't automatically mean that
> > it corresponds to a human user.
>
> Ho boy. This can legitimately be true if it's an administrative UID
> that no human ever uses. This does not mean that an action on a server
> doesn't have to be authenticated just because you don't know that
> there's a human on the other end.
I did mean administrative UIDs, including reduced-privilege system
accounts for xinetd services (if any) that don't enable functionality
that would require auditing. Of course, you have to know for sure that
this is the case, and not guess based on assumptions about humans or
systems on the other end of the wire.
> > But it's obviously unacceptable to run anything with the rights of a
> > human user based on data received from the network if the
> > authentication steps were not done. This rules out passwordless rsh
> > and similar abominations.
>
> Almost. The Irix B1, CAPP, and LSPP evaluations allowed passwordless
> rsh in the case of a common administrative domain. If the client and
> the server are administered together and the audit trail is combined,
> you have everything you need.
Okay, in that case the users have been authenticated by the remote
system first, and the second system extends trust based on this.
I had made the implicit assumption of independent administrative domains
as was done in the previous Linux security targets, but there are of
course other ways to define this. I would still consider passwordless rsh
to be an abomination though ;-)
-Klaus
More information about the Linux-audit
mailing list