Re: UNIX Security Weaknesses and Potential Solutions

subzero@xxxxxxxx wrote:
I recall reading once, about 10 years ago (in a book titled "Out of
Control"), that writers of malware code protect their computers from
becoming infected from their own malware by creating a complete
virtual/simulated computer inside of their (real) computer and running
their malware code on the simulated computer.

What you're referencing is called virtualization, and many people do
that.

It's the thing VMWare, Xen, MacOnLinux, UserModeLinux, ... do.

Perhaps a similar strategy could be used by the average computer user,
at least when surfing the internet, in order (to prevent the firmware
from becoming infected). Such a strategy could (and should) be used by
web browsers (at minimum).

Good idea. And not new.

Do you (or anyone else reading this) know of a way to amend or alter
the UNIX code so that it is NOT possible to change the root password
without knowing the password which had previously been set?

This requires additions like SELinux for Linux. But why would someone
want to have this? It's only possible to prevent while runtime, offline-
change remains possible.

Some people completely disable unwanted privileges by using a capability
system while runtime. And that's enough.

[opinion snipped]
I'm sure I
don't need to explain the principle of least/minimum privelege to most
readers of this forum.

Perhaps you want to read about capability based systems. They're near
the concept you have in mind.

Yours,
VB.
--
"Ich lache nie."
Besim Karadeniz in d.c.s.m.
.