mjl@ritcv.UUCP (Mike Lutz) (07/16/83)
One problem with unreadable (or otherwise inaccessible) password files is the implicit assumption that only privileged processes need to use the information. We have some database inquiry programs that run set-gid or set-uid, and which demand the invoker type his/her password again. While not perfect, the technique does stave off attempts to use an active terminal to gain access to unauthorized information. We use this primarily in cases where the command is the interface to some moderately private information that only the "real" person should see. Of course, all such programs could run as set-uid root and access the protected password file. We prefer our approach, as it attempts to abide by the "principle of least privilege". Also, the hidden password file technique can lead to a false sense of security (read the UNIX security paper from V6). Mike Lutz {allegra,seismo}!rochester!ritcv!mjl
smk@linus.UUCP (Steven M. Kramer) (07/17/83)
Using the passwd file again for a utility is not exactly kosher as far as good security/separation/... goes. The passwd is the authentication mechanism for you to gain access to the system (thought of as a resource in a way). You are now using the SAME entry device for another resource. What you have done is munged the idea of separation of resources. I agree with the idea of least privilege, but you'll see it works much better with another authentication mechanism. I suggest using another set of passwords. Then you'll get both separation, least privilege, and you can protect BOTH passwd files separately. -- --steve kramer {allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!smk (UUCP) linus!smk@mitre-bedford (ARPA)