On Thu, 25 Aug 1994, KevinTX wrote: > > Well, this is not a bug but a question on > > the design of most Unix systems. It seams to me, and > > I tried this on Ultrix 4.3, HPUX 9.01, Linux 1.1.x, > > when root opens a file, being the owner or not, the > > system does not check the file permissions before > > granting him access. The same goes for writting and > > unlinking a file. > > I've long considered this to be "wrong" as well. Forcing root to > have to obey whether something is allowed to be writable by root > would close up a lot of the various holes out there. Of course > this creates problems with things like the traditional "passwd" > program that would then have to know to do a chmod to give root write > perms to the password file.. I don't know, but having seen three different other designs, I notice the most secure systems place account creation code as a system call rather than allowing a privelged user to simply create an account. RSTS/E, which is considered "bulletproof" because the sources were readily available and the administrators were often high-school and college students, got a lot of banging around by people who got to look at the internals and could figure ways to keep their systems from being invaded. (If these kids hadn't been the administrators they probably would have been trying to break into the system. When you already have priveleges there's no fun in trying to find them since you already have them. I know, I've been on both sides, once as a nonpriveleged user of a non-RSTS system and thirsting for priveleges, and then eventually becoming one of the administrators and having them, and using them to get what I had to do done.) Same thing with the Univac 90/60's VS/9 operating system which uses a system command to create or remove accounts. VS/9 was a mainframe operating system for an IBM 360 clone. When account creation is a kernel-level function (or supervisor-level function, in systems having more than 2 privelege levels) where the work is done by the operating system in response to a request by a priveleged process, for some reason this tends to be more secure than systems that do account creation at the process-level. Or at least it seems that way. Reports on Security Problems: To Subscribe write PROBLEMS-REQUEST@TDR.COM Paul Robinson - paul@tdr.com / tdarcos@MCIMail.com / tdarcos@access.digex.net Voted "Largest Polluter of the (IETF) list" by Randy Bush <randy@psg.com> Voted "Largest Polluter of digex.general" by Mike <voss@orange.digex.net>