On Tue, Nov 15, 2005 at 05:33:38PM +0100, Magnus Hagander wrote:
> There is *NOTHING* wrong with the model in this case. It's the specific
> implementation of the mdoel that is broken.
> If you assign every user uid "0" in Unix, I beleive you'd get the same
> problem as when you assign every user an admin on windows... Both are
> equally stupid. There's just more software on windows that is designed
> for such stupid environments, but it's not in the security model itself.
> If it was in the actual security model, we'd have to do something.
Actually, no. In UNIX is you are running as user 0, you can su to any
other user ID, even if they don't exist. You can set it up so you can
never go back, a trapdoor basically. Under linux you can even give up
all sorts of priveledges without changing your UID.
The difference with Windows appears to be that you can't willingly
restrict your own priveledges without creating another user and
switching to them.
For example, does the windows model allow you to say (without creating
a new user): I irrevocably restrict my access to files owned by user X
for this process *only*. Or to files under subdirectory Y. Or I
irrevocably restrict my access to open new network sockets. Or
irrevocably restrict my access to create new users.
If this is possible then a patch might be accepted that would allow you
to run as "admin" but only after giving up all the rights that aren't
actually needed.
If you can't do this, I'd call the model flawed.
Have a ncie day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
