The Unix-Haters handbook page 279

12 Security Oh, I’m Sorry, Sir, Go Ahead, I Didn’t Realize You Were Root Unix is computer-scientology, not computer science. —Dave Mankins The term “Unix security” is, almost by definition, an oxymoron because the Unix operating system was not designed to be secure, except for the vulnerable and ill-designed root/rootless distinction. Security measures to thwart attack were an afterthought. Thus, when Unix is behaving as expected, it is not secure, and making Unix run “securely” means forcing it to do unnatural acts. It’s like the dancing dog at a circus, but not as funny— especially when it is your files that are being eaten by the dog. The Oxymoronic World of Unix Security Unix’s birth and evolution precluded security. Its roots as a playpen for hackers and its bag-of-tools philosophy deeply conflict with the require- ments for a secure system.

244 Security Security Is Not a Line Printer Unix implements computer security as it implements any other operating system service. A collection of text files (such as .rhosts and /etc/groups), which are edited with the standard Unix editor, control the security config- uration. Security is thus enforced by a combination of small programs— each of which allegedly do one function well—and a few tricks in the oper- ating system’s kernel to enforce some sort of overall policy. Combining configuration files and small utility programs, which works passably well for controlling a line printer, fails when applied to system security. Security is not a line printer: for computer security to work, all aspects of the computer’s operating system must be security aware. Because Unix lacks a uniform policy, every executable program, every configuration file, and every start-up script become a critical point. A sin- gle error, a misplaced comma, a wrong setting on a file’s permissions enable catastrophic failures of the system’s entire security apparatus. Unix’s “programmer tools” philosophy empowers combinations of rela- tively benign security flaws to metamorphose into complicated systems for breaking security. The individual elements can even be booby-trapped. As a result, every piece of the operating system must be examined by itself and in concert with every other piece to ensure freedom from security viola- tions. A “securely run Unix system” is merely an accident waiting to happen. Put another way, the only secure Unix system is one with the power turned off. Holes in the Armor Two fundamental design flaws prevent Unix from being secure. First, Unix stores security information about the computer inside the computer itself, without encryption or other mathematical protections. It’s like leaving the keys to your safe sitting on your desk: as soon as an attacker breaks through the Unix front door, he’s compromised the entire system. Second, the Unix superuser concept is a fundamental security weakness. Nearly all Unix systems come equipped with a special user, called root, that circum- vents all security checks and has free and total reign of the system. The superuser may delete any file, modify any programs, or change any user’s password without an audit trail being left behind.

Previous Page Next Page

The Unix-Haters handbook Page 279 (279 of 360)

The Unix-Haters handbook resources

Help