star access control [PSARC/2008/176 FastTrack timeout 03/12/2008]
James Carlson
james.d.carlson at sun.com
Thu Mar 20 06:18:26 PDT 2008
Nicolas Williams writes:
> If you can make it a user's shell (odd, I know) or forced command (think
> ssh authorized_keys), then it can make sense. Even then I think it
> doesn't need to audit as the system can ultimately audit everything that
> rmt does anyways, and you'd have to be able to grant it PRIV_PROC_AUDIT,
> which isn't impossible for a user shell, but which would require a
> wrapper, which...
>
> OK, so the feature is pointless, so what?
It provides a new security feature that can't (at least by itself)
provide the security it claims to implement. That's a risk to system
administrators who may rely on that claim and end up surprised when
users can waltz by the access controls.
I don't think we ought to be delivering this new variant of rmt at all
(what problem does it solve?), but if we must, then the documentation
for it should provide explicit warnings about the limitations of this
"security feature."
--
James Carlson, Solaris Networking <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
More information about the opensolaris-arc
mailing list