Ah, but the administrator does not have to be evil. Careless or trusting would suffice.
Regards, Richard Schuh -----Original Message----- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Wednesday, November 07, 2007 9:40 AM To: [email protected] Subject: Re: Changing privclass of SHUTDOWN On Wednesday, 11/07/2007 at 12:10 EST, "Schuh, Richard" <[EMAIL PROTECTED]> wrote: > Maybe we ought to require that two keys in the possession of different people, > preferable in different countries, be turned simultaneously before any command > is accepted. (Are you reading this, Chuckie? I know that you can find a way to > implement it on the garden-variety PC. It might make you rich.) z/VM's security certifications fall under protection profiles that assume "no evil administrators" and, so, only one key is required. Only when you assume you have evil administrators do you switch to a two-key system. You say SHUTDOWN and the system asks another administrator if it is ok. HCPDIE666A USER RICHARD REQUESTS SELF DESTRUCT. ENTER YOUR PASSWORD TO CONFIRM, ANYTHING ELSE TO REJECT. HCPDIE666A AFTER 2 MINUTES, REQUEST WILL BE REJECTED AUTOMATICALLY. <CP READ> HCPDIE667I SELF DESTRUCT HAS BEEN CONFIRMED. NO FURTHER AUDIO NOTIFICATIONS WILL BE GIVEN. Requiring authentication (without using your private combination to open a safe and break little plastic cards in half) ensures that you can't automate it. The keys are too far apart for one person to turn both. If someone tries to turn off RACF, for example, the system operator is prompted to concur. It's not secure, but it can prevent an honest mistake. Likewise, SHUTDOWN could prompt any other available class A user to concur. Ah, but what if no other class A user is available? But this is all doable with SVMs today and probably very easily with Sine Nomine's SYSVINIT. [The following is a fictitious dialog...any resemblence to any actual implementation is purely coincidental.] SMSG MYSERV SHUTDOWN MYSYS MSG FROM MYSERV: SYSTEM SHUTDOWN REQUESTED BY OPERATOR MSG FROM MYSERV: CONFIRMATION REQUESTED FROM ALAN MSG FROM MYSERV: ALAN IS NOT LOGGED ON MSG FROM MYSERV: CONFIRMATION REQUESTED FROM DAVID MSG FROM MYSERV: DAVID SAYS OK MSG FROM MYSERV: -- START SUBSYSTEM SHUTDOWN --- MSG FROM MYSERV: NO NEW LOGINS ALLOWED MSG FROM MYSERV: TCP/IP SHUTTING DOWN MSG FROM MYSERV: TCP/IP IS DOWN MSG FROM MYSERV: SFS SHUTTING DOWN : MSG FROM MYSERV: -- START CP SHUTDOWN <gaaack> > I have always been a believer in ?Rule Number 1? which is ?Know what you are > doing.? The thinking needs to begin before the command is entered. I have seen > more havoc wreaked on systems by those who accidentally push or pull the wrong > button on a cpu than I have by someone entering the wrong command from a > keyboard. I have seen (but not been a party to) several unintentional power > downs, both normal and emergency, over the past 44 years but only one > accidental SHUTDOWN command. My mantra to those new to TCP/IP dynamic routing: Stand away from the keyboard and no one will be harmed. Alan Altmark z/VM Development IBM Endicott
