Re: Why you should avoid world-writable directories

[nmm1 () CUS CAM AC UK (Nick Maclaren)]

Gonzo Granzeau <gonzo () IRONMAN PLANETQUAKE COM> writes:
> What's really funny is how often programs with 'secure' in the title usually
> have a few more security problems than normal... `8r)

I agree that it is amusing, in a cynical sort of way.  My experience is
that it is almost certainly because the authors (and I am NOT casting
stones at any particular person here) miss the fundamental rule:

    The security of a program should be measured by how it is used,
    and not how it is written.

Most people will have installed a new, high-security feature only to
discover that they have actually reduced security, because they didn't
have time to study the complete documentation or misunderstood it.
For example, hands up everyone who has gone around removing the setuid
bit, and included xterm :-(

The user interface AND CHECKING FOR USER ERRORS are as much part of
the security of a program as the way that it manipulates privileges.
But regrettably few programmers think that it is their business to
protect hassled and tired system administrators from their own (often
stupid) mistakes.


Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
Email:  nmm1 () cam ac uk
Tel.:  +44 1223 334761    Fax:  +44 1223 334679