On Thu, Aug 24, 2006 at 11:43:40AM -0400, Chris Ricker wrote:
On Thu, 24 Aug 2006, Neal Becker wrote:
Ralf Ertzinger wrote:
Hi.
On Thu, 24 Aug 2006 11:04:26 -0400, Neal Becker wrote:
Hmmm. What is the advantage of this scheme? The first disadvantage that springs to my mind is that any attacker that gains user privileges (browser bug or whatever) can suddenly change the user password.
How is that a disadvantage, compared to existing systems? With previous systems, if you gain user priv you can also change user password. I think the idea of tcb is that's all you can do. No suid root stuff is used. (Honestly, I don't know much about tcb - I just thought it might be of interest)
I think Ralf was thinking that tcb would permit something conceptually along the lines of
$ vi /etc/tcb/`id -un`/shadow
to change your existing passwd w/o having to know it
The permissions on /etc/tcb should prevent that though -- only an sgid shadow app (the passwd command) can be used....
It's not a bad idea it's probably unlikely that the existing suid passwd has any security problems but you never know. On the other hand many people (probably everyone who has more than a couple machines) can just remove the suid bit from passwd right now without any problems since most likely all their passwords live in kerberos/ldap/nis already.
Kostas