Firewall Wizards mailing list archives

Re: High ranking lusers

From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 16 Apr 1998 09:15:40 -0400 (EDT)

On 16 Apr 1998, Anonymous wrote:

true, recent and sad


Little Boss:  The Big Boss wants a shell script to be setuid root.

Me:  Why ? [Thinks: Gotta get an alternative to that!
            He's probably only just heard of setuid bits.]

LB: He wants his scripts to use ftp, and ftp can only be run by root,
           (because security dept believe in client-side access control)
    and he already has a shell script wrapper to call ftp for some reason,
    so now he wants it to be setuid root.

Me: There are loads of problems with setuid scripts.
    [Any introductory book says so.  How can I be diplomatic about this?
     So is the boss happier to keep the letter of the S.D. law, while
     breaking the spirit?  Can we get this user added as 'can also ftp'?
     Why don't they leave things alone until they have time to install
     a good transfer program with OTP or better?]


LB: He wants it soon, and he's going to call it 'secure_ftp'.

Me: <silence>  [What excuse would Dilbert invent?]


Choice 1:

mkuser route;chown route script_wrapper;chmod u+s script_wrapper

"Ok, it's setuid route" <pronounced like Root>

Choice 2:

Articulate the risks and ask if they're sure they reallyreally want to 
add a potential compromise point of such magnitude.  Most managers are 
loathe to make such a request, especially in writing.  I generally try to 
articulate the risks to the initiator of the request.  They're not always 
happy, but once they understand the bigger picture, most of them decide 
that the alternative I usually provide is a much better answer.

Choice 3:

Make sure that the script calls a "controled client" if that meets the 
policy.

Choice 4: 

Find out what he wants his scripts to do, then see if there's a better 
alternative from a functionality and security standpoint.

Choice 5:

Make the security department handle the whole thing.  They should be able 
to do one of the above.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Current thread:

High ranking lusers Anonymous (Apr 16)
- Re: High ranking lusers Paul D. Robertson (Apr 17)
- Re: High ranking lusers Bennett Todd (Apr 17)
- Re: High ranking lusers carson (Apr 17)
  - Re: High ranking lusers Henry Hertz Hobbit (Apr 19)
    - Re: High ranking lusers carson (Apr 19)
    - Re: High ranking lusers Chip Christian (Apr 20)
    - Re: High ranking lusers Henry Hertz Hobbit (Apr 20)
- Re: High ranking lusers Rick Smith (Apr 17)
- <Possible follow-ups>
- Re: High ranking lusers David Collier-Brown (Apr 21)