From mboxrd@z Thu Jan 1 00:00:00 1970 To: 9fans@cse.psu.edu From: "Douglas A. Gwyn" Message-ID: <3E4DD1E5.6090101@null.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit References: <3E4C66DC.4000604@null.net>, Subject: Re: [9fans] So What is P9 good for..... Date: Mon, 17 Feb 2003 09:53:23 +0000 Topicbox-Message-UUID: 648026bc-eacb-11e9-9e20-41e7f4b1d025 Ronald G. Minnich wrote: > On Fri, 14 Feb 2003, Douglas A. Gwyn wrote: >>The use of set-UID-0 *applications* on Unix was extremely >>short-sighted. > Hey, it was worth a patent. ... Perhaps you missed the point I was making. The capability of executing a process with enhanced privilege was fine, but should have been used only to implement an access control layer or service, not to elevate every operation in a high-level application to superuser privilege. At BRL we spent many man-months fixing security holes in Research Unix but even more for BSD, where evidently the quickest implementation was usually the one chosen, without much regard for security ramifications. That would have been adequate for a single trusted error-free user, but not in a networked timesharing environment. CERT still receives security problem reports for bind, sendmail, etc., and many of them can be directly attributed to a set-UID process having at some point during execution more privilege than it needs to perform its intended function. It's experiences like that that make me a big fan of capability-based systems architecture.