Bugtraq mailing list archives
Re: Why you should avoid world-writable directories
From: nmm1 () CUS CAM AC UK (Nick Maclaren)
Date: Tue, 22 Dec 1998 21:44:26 +0100
Gonzo Granzeau <gonzo () IRONMAN PLANETQUAKE COM> writes:
What's really funny is how often programs with 'secure' in the title usually have a few more security problems than normal... `8r)
I agree that it is amusing, in a cynical sort of way. My experience is that it is almost certainly because the authors (and I am NOT casting stones at any particular person here) miss the fundamental rule: The security of a program should be measured by how it is used, and not how it is written. Most people will have installed a new, high-security feature only to discover that they have actually reduced security, because they didn't have time to study the complete documentation or misunderstood it. For example, hands up everyone who has gone around removing the setuid bit, and included xterm :-( The user interface AND CHECKING FOR USER ERRORS are as much part of the security of a program as the way that it manipulates privileges. But regrettably few programmers think that it is their business to protect hassled and tired system administrators from their own (often stupid) mistakes. Regards, Nick Maclaren, University of Cambridge Computing Service, New Museums Site, Pembroke Street, Cambridge CB2 3QG, England. Email: nmm1 () cam ac uk Tel.: +44 1223 334761 Fax: +44 1223 334679
Current thread:
- Re: Why you should avoid world-writable directories Ben Laurie (Dec 22)
- Re: Why you should avoid world-writable directories Darren Reed (Dec 22)
- Re: Why you should avoid world-writable directories Rich Burroughs (Dec 22)
- Re: Why you should avoid world-writable directories Wietse Venema (Dec 22)
- <Possible follow-ups>
- Re: Why you should avoid world-writable directories Nick Maclaren (Dec 22)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Alan Cox (Dec 24)
- Administrivia Aleph One (Dec 26)
- Nlog 1.1b released - security holes fixed HD Moore (Dec 26)
- referer problems... Spencer Portee - Yard Productions (Dec 26)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)
- Re: Why you should avoid world-writable directories Robert Watson (Dec 27)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)