Hosting Provided By

Re: /etc/passwd, etc ownership

From: Albert Mietus <albert(at)gamp.hacom.nl>
Date: Wed Feb 26 1997 - 13:33:32 EST

> > How many cases are there where someone can mess with the ownership
> > of /etc/passwd but not anything else?
>
> I've personally seen a couple of instances where a careless
> programmer did not set his umask before manipulating password files,
> and the result were mode 666 files. In one instance, the utility had
> been running for several weeks before someone noticed the problem.

True, this a security hole. BUT this example can NEVER (in my opinion) be a argument to "add code to prevent this".

I'm sure that when a OS is designed that covers this problem, there is some even more stupid user...

Yes, a cronjob (ala daily->security) that gives warnings works. But real restrictions will become a handycap, and so workarounds will be used!

To summarize: yes we need a secure OS, yes we can use tools that verify this, NO we don't want restriction that make users (including/especially root) "careless".

---GAM
"This should be a jolly quote" Received on Thu Feb 27 09:34:57 1997

This message: [ Message body ]
Next message: Charles Henrich: "Code updating.."
Previous message: David Nugent: "Re: Termcap use..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:41:02 EDT

Do you need help?