Destroying "only" your home directory (was Re: Newbie question on permissions)

Sun Apr 2 20:00:08 UTC 2006

On Sunday 02 April 2006 05:07, Matthew R. Dempsky wrote:
> On Sat, Apr 01, 2006 at 06:40:00PM -0600, Michael V. De Palatis 

> Sorry, maybe my point wasn't clear: I don't think privelege
> separation is a bad thing, just that simply separating root from
> users doesn't go anywhere near far enough, and that users aren't
> given enough access to further privelege separation.

The problem with that idea is that it's extremely hard to implement in 
a concise, easy to use manner. *nix permissions were designed so that 
multiple user could share resources without clobbering each other's 
stuff - so you can do anything you like with files you own. Sure, 
it's inconvenient sometimes, but consider the effects of the 
alternatives below

> On the servers I administer, almost every service runs as its own
> dedicated user with the bare minimum necessary permissions.
>
> However, it's not practical to do similarly  as a regular user on
> my laptop, for example, how do I run mplayer such that I can safely
> watch any movie I download online?  There have been exploits in
> mplayer before[1], who's to say they won't happen again?
>
> [1] http://tigger.uic.edu/~jlongs2/holes/mplayer.txt

You could build a system that allows mplayer direct access to the 
video hardware but not everything else. Two ways present themselves:

1. Increase the program's priviliedges. This is basically an expansion 
of setuid/setgid with fine grained control.
2. Increase the priviledge of the user the program runs as. This is 
the entire idea behind the Windows model.

What's the problem? Permission creep. If you can elevate an arbitrary 
user's access to resources, then users will tend to elevate their 
permissions to the maximum to "make things easier". Eventually 
running as an admin will become the norm, which is no better than 
routinely running as root.

The second problem is complexity. If you can select all manner of 
stuff that users can do on an individual basis, it's only a matter of 
time before someone builds an "enable all" function into permissions. 
Same results as the first problem.

As evidence, how many sites have you seen where the full functionality 
of sudo is used? It becomes a real pita to maintain with several 
users, so the general tendency is that a user is either a full sudoer 
or not. Not any different from 'su -' in effect, except you now know 
which user ran a command as root.

Permissions as they are aren't perfect, but it's the best system found 
so far. It's the simplest thing that could possible work and get the 
job done, and it's still with us after 30 years. In some ways it 
sucks, but all the alternatives suck much more.

-- 
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five