tcb - the alternative to shadow

Kostas Georgiou k.georgiou at imperial.ac.uk
Thu Aug 24 16:42:09 UTC 2006


On Thu, Aug 24, 2006 at 11:43:40AM -0400, Chris Ricker wrote:

> On Thu, 24 Aug 2006, Neal Becker wrote:
> 
> > Ralf Ertzinger wrote:
> > 
> > > Hi.
> > > 
> > > On Thu, 24 Aug 2006 11:04:26 -0400, Neal Becker wrote:
> > > 
> > >> http://www.openwall.com/presentations/Owl/mgp00020.html
> > > 
> > > Hmmm. What is the advantage of this scheme? The first disadvantage
> > > that springs to my mind is that any attacker that gains user privileges
> > > (browser bug or whatever) can suddenly change the user password.
> > > 
> > 
> > How is that a disadvantage, compared to existing systems?  With previous
> > systems, if you gain user priv you can also change user password.  I think
> > the idea of tcb is that's all you can do.  No suid root stuff is used. 
> > (Honestly, I don't know much about tcb - I just thought it might be of
> > interest)
> 
> I think Ralf was thinking that tcb would permit something conceptually 
> along the lines of
> 
> $ vi /etc/tcb/`id -un`/shadow
> 
> to change your existing passwd w/o having to know it
> 
> The permissions on /etc/tcb should prevent that though -- only an sgid 
> shadow app (the passwd command) can be used....

It's not a bad idea it's probably unlikely that the existing suid passwd has
any security problems but you never know. 
On the other hand many people (probably everyone who has more than a couple
machines) can just remove the suid bit from passwd right now without any problems
since most likely all their passwords live in kerberos/ldap/nis already.

Kostas




More information about the devel mailing list