PlanetLab Creates a More Advanced Sudo

angry tapir writes "Researchers at the PlanetLab global research network have developed a potential replacement for the widely used Unix sudo tool, called Vsys, that will offer administrators far greater control over what end users can and can't access. Vsys is similar to sudo, except it offers finer-grained access to system resources. PlanetLab created Vsys as a way to allow its researchers to access low-level network functionality so they could develop new network technologies — overlay networks, user-level file systems, virtual switches — while their experimental work remained safely isolated from other users."

Executable configuration?

[Max+Romantschuk]

With Vsys, administrators can create scripts, called extensions, that can carefully detail which user actions are permissible. Extensions can be written in any programming language. The extensions are executable files.

I'm sure it's flexible, but wouldn't executable configuration be a potential source of programming errors, and thus an additional attack vector? If the extension is done correctly I assume all is well, but how do you make sure it is? Or are you better off using SELinux? (Which isn't user friendly either, but at least paranoid...)

Re:Executable configuration?

[phantomfive]

This solves a problem that probably exists nowhere outside PlanetLab: trying to segregate users who are trying to build experimental networks. Now, you might ask, why not just buy a different computer for each experimenter? And indeed that is what I would do, except, these experimenters are trying to experiment on clusters.

So they are trying to segregate the capabilities of various users over many nodes in a cluster, whom they rent time to in a shared system. So there you have it. If you are trying to rent time in a shared cluster to network researchers, this is the tool for you!!

Re:Most admins ignore sudo's granularity

[Frosty+Piss]

I don't know about most *nix systems admins, but I use root.

I'm not moron, I am neurotic about copious backups during work, I make the most of my development servers prior to pushing to the production servers, and am not generally susceptible to asking for problem solutions on-line and just assuming the rm -rf * is the solution to my problems (and it doesn't work with Windows...).

Seriously, do most admins really use sudo? I don't believe it.

Indeed there are a number of Linux distros that almost require it. I don'r use them.

Re:Most admins ignore sudo's granularity

[ChrisMaple]

If you've ever worked with someone who's productive but untrustworthy, you know that some people need to be precisely limited in their access. I know it's frustrating when I have to ask for permission just to do my job, but it's better than the guy who frequently crashes the servers to do so, or to have an unqualified person adding untested changes to a design.

Re:I don't need more.

[SigmundFloyd]

I know what sudo does.

If you knew what sudo does, you wouldn't have written this:

"su -c $blah" should be all anyone needs.

Subject to race conditions -- lame

[plsuh]

Folks,

Does no one remember 2007? Bob Watson presented a paper on exploiting concurrency to break all kinds of things like systrace back then, complete with example code. Vsys is the same kind of thing -- it has processes executing in an outside space where you can have a race condition and force the parameters to change after the clearance check but before it actually does the work. See:

http://www.watson.org/~robert/2007woot/

--Paul