bstempleton@watmath.UUCP (Brad Templeton) (08/07/83)
With more and more people running UNIX (TM of BTL) on their very own machine, I think we need to do another evaluation of permission schemes. Essentially, the problem is that you want to be full power (ie. root) on your machine, but you also want to protect yourself from dumb mistakes, and you want to make file permissions mean something. It's quiet annoying to have to be switching back and forth between su and yourself, although job control makes this a bit easier. My idea here is to make a modification to the shell so that the user can put it in "root shell" mode. In this case, the shell runs as root, but whenever it forks a command, it setuids to some chosen innocuous user. Thus as far as the user is concerned, he is not root. (This means you have to fork even things like echo and other built-ins, as well as forking before opening redirection files) If the command line has the word "root" or "su" or whatever on the front of it, however, the setuid is not done and everything proceeds with full power. ie. $ rm file rm: file not removed $ root rm file $ root (no arugment, no password ever requested) # (now you can do a long list of root things) ^D $ echo hi >/etc/passwd -- permissions denied The idea being that su has a password, but you never want to type it more than once. This could be done with a setuid program but this is faster and more secure. Another system that doesn't require the forking for normal commands is to create a half-baked root (uid 1) which has the one special power to do a setuid(0); to do what it wants. This requires kernal mods, however. Has anybody ever done this? -- Brad Templeton - Waterloo, Ont. (519) 886-7304
mike@brl-vgr@sri-unix.UUCP (08/23/83)
From: Mike Muuss <mike@brl-vgr> At Johns Hopkins, the dual-personality shell WAS built (and it still in use), although for a somewhat different purpose than you desire. There, the intention was to have an "operator" shell that would run certain commands a ROOT (like PS, SHUTDOWN, etc), and the rest as a normal user ("operator"). The set of commands which would run privleged was carefully selected to prevent operators from gaining undue control over the machine, yet still be able to take backups, etc. The version which is presently running at JHU is based on the old V6 shell, but the concepts employed in the code might very well be moveable into newer shells. Contact Bob Miles <RSM@BRL> or Bob Jesse <RNJ%JHU@Udel-relay> for details. -Mike