On Thu, Jan 06, 2005 at 08:14:47AM -0800, Casey Schaufler wrote:
--- Klaus Weidner <klaus(a)atsec.com> wrote:
> Note that running as a non-root UID doesn't automatically mean that
> it corresponds to a human user.
Ho boy. This can legitimately be true if it's an administrative UID
that no human ever uses. This does not mean that an action on a server
doesn't have to be authenticated just because you don't know that
there's a human on the other end.
I did mean administrative UIDs, including reduced-privilege system
accounts for xinetd services (if any) that don't enable functionality
that would require auditing. Of course, you have to know for sure that
this is the case, and not guess based on assumptions about humans or
systems on the other end of the wire.
> But it's obviously unacceptable to run anything with the
rights of a
> human user based on data received from the network if the
> authentication steps were not done. This rules out passwordless rsh
> and similar abominations.
Almost. The Irix B1, CAPP, and LSPP evaluations allowed passwordless
rsh in the case of a common administrative domain. If the client and
the server are administered together and the audit trail is combined,
you have everything you need.
Okay, in that case the users have been authenticated by the remote
system first, and the second system extends trust based on this.
I had made the implicit assumption of independent administrative domains
as was done in the previous Linux security targets, but there are of
course other ways to define this. I would still consider passwordless rsh
to be an abomination though ;-)
-Klaus