Firewall Wizards mailing list archives
Re: High ranking lusers
From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 16 Apr 1998 09:15:40 -0400 (EDT)
On 16 Apr 1998, Anonymous wrote:
true, recent and sad Little Boss: The Big Boss wants a shell script to be setuid root. Me: Why ? [Thinks: Gotta get an alternative to that! He's probably only just heard of setuid bits.] LB: He wants his scripts to use ftp, and ftp can only be run by root, (because security dept believe in client-side access control) and he already has a shell script wrapper to call ftp for some reason, so now he wants it to be setuid root. Me: There are loads of problems with setuid scripts. [Any introductory book says so. How can I be diplomatic about this? So is the boss happier to keep the letter of the S.D. law, while breaking the spirit? Can we get this user added as 'can also ftp'? Why don't they leave things alone until they have time to install a good transfer program with OTP or better?] LB: He wants it soon, and he's going to call it 'secure_ftp'. Me: <silence> [What excuse would Dilbert invent?]
Choice 1: mkuser route;chown route script_wrapper;chmod u+s script_wrapper "Ok, it's setuid route" <pronounced like Root> Choice 2: Articulate the risks and ask if they're sure they reallyreally want to add a potential compromise point of such magnitude. Most managers are loathe to make such a request, especially in writing. I generally try to articulate the risks to the initiator of the request. They're not always happy, but once they understand the bigger picture, most of them decide that the alternative I usually provide is a much better answer. Choice 3: Make sure that the script calls a "controled client" if that meets the policy. Choice 4: Find out what he wants his scripts to do, then see if there's a better alternative from a functionality and security standpoint. Choice 5: Make the security department handle the whole thing. They should be able to do one of the above. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- High ranking lusers Anonymous (Apr 16)
- Re: High ranking lusers Paul D. Robertson (Apr 17)
- Re: High ranking lusers Bennett Todd (Apr 17)
- Re: High ranking lusers carson (Apr 17)
- Re: High ranking lusers Henry Hertz Hobbit (Apr 19)
- Re: High ranking lusers carson (Apr 19)
- Re: High ranking lusers Chip Christian (Apr 20)
- Re: High ranking lusers Henry Hertz Hobbit (Apr 20)
- Re: High ranking lusers Henry Hertz Hobbit (Apr 19)
- <Possible follow-ups>
- Re: High ranking lusers David Collier-Brown (Apr 21)