244 Security
Security Is Not a Line Printer
Unix implements computer security as it implements any other operating
system service. A collection of text files (such as.rhosts and /etc/groups),
which are edited with the standard Unix editor, control the security config-
uration. Security is thus enforced by a combination of small programs—
each of which allegedly do one function well—and a few tricks in the oper-
ating system’s kernel to enforce some sort of overall policy.Combining configuration files and small utility programs, which works
passably well for controlling a line printer, fails when applied to system
security. Security is not a line printer: for computer security to work, all
aspects of the computer’s operating system must be security aware.
Because Unix lacks a uniform policy, every executable program, every
configuration file, and every start-up script become a critical point. A sin-
gle error, a misplaced comma, a wrong setting on a file’s permissions
enable catastrophic failures of the system’s entire security apparatus.
Unix’s “programmer tools” philosophy empowers combinations of rela-
tively benign security flaws to metamorphose into complicated systems for
breaking security. The individual elements can even be booby-trapped. As
a result, every piece of the operating system must be examined by itself and
in concert with every other piece to ensure freedom from security viola-
tions.A “securely run Unix system” is merely an accident waiting to happen. Put
another way, the only secure Unix system is one with the power turned off.Holes in the Armor
Two fundamental design flaws prevent Unix from being secure. First, Unix
stores security information about the computer inside the computer itself,
without encryption or other mathematical protections. It’s like leaving the
keys to your safe sitting on your desk: as soon as an attacker breaks
through the Unix front door, he’s compromised the entire system. Second,
the Unix superuser concept is a fundamental security weakness. Nearly all
Unix systems come equipped with a special user, called root, that circum-
vents all security checks and has free and total reign of the system. The
superuser may delete any file, modify any programs, or change any user’s
password without an audit trail being left behind.