Re: Sysadmins

[Bas Wijnen]

On Wed, Nov 02, 2005 at 10:24:04PM -0300, Leonardo Lopes Pereira wrote:
> >  As you mention later in this post, you need to trust the software that is
> > installed to make use of it. If you don't trust the software, don't use it.

This is not needed.  As has been mentioned, untrusted programs can be run in a
confined space where they cannot do harm (except eat resources that are given
to them, but they can be taken away again).  For this purpose, almost all
programs should be considered untrusted, because even if you trust the source,
a bug in it may still give a cracker or virus control over it, which turns it
into a hostile program.

> > > So, if we will design a system where people can fell secure, we need to
> > > create a system where the admin has less power as possible.

This is a good idea, but that doesn't include all the things you mention, I
think.  In particular, except for trusted programs (shells), the system
administrator should be allowed to install or replace programs, because they
aren't treated as trusted anyway.

In practice, I suppose you want to allow the administrator to install and
replace shells as well, since they can very well contain bugs.  However, this
must be considered a highly sensitive operation.  I wouldn't mind if a reboot
was needed for it in the default setup.

> I am not an security paranoic. But I cannot trust in someone that I do not
> know who is. I am the sysadmin of my computer, I trust on myself. My brother
> is the sysadmin of the other computer that I have, I trust him. But I do not
> know who is the sysadmin of the computer of my university. How can I know if
> it will not put backdoors on the programs? How can I know if there is no
> spyware on the computer? I _CANNOT_ trust on it.

If you don't trust the person who installed the computer, then you shouldn't
put your private data on it.  This is always true, because they can change the
sensitive programs (shells, drivers, kernel).

> So, I will only be safe in a system that I am _SURE_ that it have almost the
> same power that I have on the system. I will be safe only in a system where
> it only can configure some small things, like the disk quote, cpu quote,
> boot manager...

The problem is that they technically can change everything if they have full
access to the hardware, and there's nothing you can do about it.  If there is,
they can still decide to use different hardware.  So no, if you don't trust
those people, then there's nothing that software can do to help, because you
can't guarantee that they actually use that software.

> > > In my opinion, the admin is a user that will be able ONLY to configure
> > > some parts of the system that cannot be configured by a user. All other
> > > things that the admin needs to do, like run a server, will be done by a
> > > common user with no more power than other users.

That is, in a confined space, like when any other user would start a server.

> I do not know if someone have writen something about that, but, to me, It
> seens easy to understand, the sysadmin has no power to change things that
> can damage me. Only a small list of special things can be done only by him
> and his actions are not more safe than an anonymous actions in the system.

The administrator should install software in trusted places (the administrator
must be trusted anyway) and set quota as far as that is needed.  And of course
he should create accounts for users (and remove their rights when that is
needed).

> > > To install programs we can create a mechanism that every user can
> > > install programs that will be avaliable to every users. but all programs
> > > would be signed on their origin, and if the user trust on that origin,
> > > this program will be able to work perfectly, if the user doesn't trust
> > > on the origin of the program it will be alerted about that and will
> > > choose how this program will run.

That doesn't work.  Most programs contain bugs.  This is not because the
origin is hostile.  Therefore, a trusted origin doesn't guarantee that a
program will not misbehave.  Except if you mean with trusted that it's part of
the trusted code base (kernel, some drivers, shells, ...), but I think you
don't mean to be that restrictive with it.

> Example: I bought a new USB device and There is no driver on the system do
> it. I wrote the driver to it. Why I need to ask to the Sysadmin to load this
> driver? I think that the user need the right to load their own drivers. I am
> sure that this will require many mechanisms to turn this secure, but this is
> a good goal, IMHO.

Low level drivers are much too sensitive to allow for normal users.  However,
a USB device driver is not low level.  The USB bus driver is.  Any user should
be allowed to use his own driver for a device, given that he has access to the
bus.

> If you have a program installed on the system, the first stage of the system
> will be check if the origin of the binary is on the list of trusted origins.
> If it is, it will have access to all capabilities that is configured to
> have. If it isn't, the system will show to the user what is the origin of
> the binary and will ask what to do: *1* Add this origin to the trusted
> origins list and you will have the same of the previou, *2* Run as a trusted
> program but without add the origin to the trusted list (if you run the
> program more on time it will ask more on time what to do), *3* Run in a
> secure space, with no access to capabilities to edit or read the files (we
> could create a special place where this program can create and edit files)

I think this is too simplistic.  In general, we don't want to trust anything
outside the TCB.  Everything should be confined as much as possible.  That is,
it should get only the capabilities it needs, which usually is "none".

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature