On Thu, 24 Aug 2006, Neal Becker wrote:
Ralf Ertzinger wrote:
Hi.
On Thu, 24 Aug 2006 11:04:26 -0400, Neal Becker wrote:
Hmmm. What is the advantage of this scheme? The first disadvantage that springs to my mind is that any attacker that gains user privileges (browser bug or whatever) can suddenly change the user password.
How is that a disadvantage, compared to existing systems? With previous systems, if you gain user priv you can also change user password. I think the idea of tcb is that's all you can do. No suid root stuff is used. (Honestly, I don't know much about tcb - I just thought it might be of interest)
I think Ralf was thinking that tcb would permit something conceptually along the lines of
$ vi /etc/tcb/`id -un`/shadow
to change your existing passwd w/o having to know it
The permissions on /etc/tcb should prevent that though -- only an sgid shadow app (the passwd command) can be used....
later, chris