mjl@ritcv.UUCP (Mike Lutz) (07/16/83)
One problem with unreadable (or otherwise inaccessible) password files is
the implicit assumption that only privileged processes need to use the
information. We have some database inquiry programs that run set-gid
or set-uid, and which demand the invoker type his/her password again.
While not perfect, the technique does stave off attempts to use an
active terminal to gain access to unauthorized information. We use
this primarily in cases where the command is the interface to some
moderately private information that only the "real" person should see.
Of course, all such programs could run as set-uid root and access the
protected password file. We prefer our approach, as it attempts to
abide by the "principle of least privilege". Also, the hidden password
file technique can lead to a false sense of security (read the UNIX
security paper from V6).
Mike Lutz {allegra,seismo}!rochester!ritcv!mjlsmk@linus.UUCP (Steven M. Kramer) (07/17/83)
Using the passwd file again for a utility is not exactly kosher as
far as good security/separation/... goes. The passwd is the authentication
mechanism for you to gain access to the system (thought of as a resource
in a way). You are now using the SAME entry device for another
resource. What you have done is munged the idea of separation of
resources. I agree with the idea of least privilege, but you'll see
it works much better with another authentication mechanism. I
suggest using another set of passwords. Then you'll get both
separation, least privilege, and you can protect BOTH passwd files
separately.
--
--steve kramer
{allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!smk (UUCP)
linus!smk@mitre-bedford (ARPA)