[rsbac] kernel user management questions

Amon Ott ao at rsbac.org
Thu Feb 3 17:44:50 CET 2005 

On Donnerstag 03 Februar 2005 16:44, Dmitry V. Levin wrote:
> On Thu, Feb 03, 2005 at 09:58:54AM +0100, Amon Ott wrote:
> [...]
> > On Donnerstag 03 Februar 2005 06:03, sftf at yandex.ru wrote:
> > >   Will you be so kind as to answer on couple questions?
> > >    1. What benefits of "in-kernel user management" against
> > >      traditional Linux user management subsystem?
> > 
> > The traditional Linux user management, specially the common 
> > passwd/shadow scheme with PAM, has several security problems:
> > 
> [...]
> > 2. No granularity:
> > If a process has access to sensitive account or even 
authentication 
> > data of one user, it has access to the same for _all_ users in the 
> > system, even the administration accounts.
> > 
> > 3. Changing passwords:
> > Because of 2., a program which allows password changes by the user 
> > (usually passwd), also has access to all passwords. An admin 
account 
> > which is allowed to set new passwords for normal users, who tend 
to 
> > forget their passwords, can do the same for any user - including 
> > other admins. This means this admin can get access to all other 
admin 
> > accounts, even if direct access is not allowed through RSBAC 
access 
> > control.
> > 
> > 4. Password attacks:
> > As encrypted passwords are readable for too many processes, they 
can 
> > be guessed via dictionary attacks. Worse, the old crypt is easy to 
> > crack, and even the MD5 replacement is rumoured to be attackable 
with 
> > databases of precomputed MD5 strings.
> 
> You can fix these issues in userspace with alternative shadowing 
scheme,
> see http://www.openwall.com/tcb/

So tcb uses separate passwd and shadow files for every user and thus 
allows to access control them separately? This would give a better 
granularity than standard, although you still cannot separate account 
validity data and passwords or id-name matching and fullname etc.

And still the encrypted password strings are read by every 
authenticating process. Hack login and you can read everything about 
the users this login is allowed to authenticate.

Altogether I think tcb does not fix these issues 2 to 4, it only 
improves them somewhat, and it leaves the other issues open.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: nicht verf?gbar
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20050203/37f63609/attachment.bin

More information about the rsbac mailing list