Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?

To: debian-devel@lists.debian.org
Subject: Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
From: Manoj Srivastava <srivasta@debian.org>
Date: Mon, 25 Feb 2002 19:07:12 -0600
Message-id: <[🔎] 87lmdh1267.fsf@glaurung.green-gryphon.com>
In-reply-to: <[🔎] 20020225222226.57210.qmail@web21302.mail.yahoo.com> (<tluxt2@yahoo.com>'s message of "Mon, 25 Feb 2002 14:22:26 -0800 (PST)")
References: <[🔎] 20020225222226.57210.qmail@web21302.mail.yahoo.com>

>>"tluxt" ==   <tluxt2@yahoo.com> writes:

 tluxt> --- Wichert Akkerman <wichert@wiggy.net> wrote:
 >> Previously tluxt2@yahoo.com wrote:
 >> > I think, from a security standpoint, from a fresh install, it would be
 >> > appropriate to have the default permissions be at most 700 (ie, no bits on
 >> > in the group & world fields).
 >> 
 >> Why?

 tluxt> Because, if those bits are left on (most importantly for the
 tluxt> world bits - perhaps less importantly for the group bits),
 tluxt> then, _by default_, nonroot users will have access to such
 tluxt> directories and files.

	I think this is a good thing.  I learned a lot about UNIX by
 wandering around the machine learning things.

 tluxt> I think that is a bad default.  It provides a way that non
 tluxt> root users have access to some root information - by default.

	Yup. Openness and accountability, I say.

 tluxt> Perhaps that information should not be available to non root
 tluxt> users.

	Why?

 tluxt> So, by default, non root users shouldn't be given access to
 tluxt> such things.  So, by default, those bits should be off.

	Why?

 tluxt> If root _does_ desire to give nonroot users access to any
 tluxt> specific information, root can easily do that, on a case by
 tluxt> case basis.

	The converse is also true -- you can deny access on a cse by
 case basis. Why is being closed better than not?

 tluxt> Perhaps this is analogous to locking the door to one's house.

	No. This is like locking every door and window and cupboard in
 your house. Locking your house is perimeter defense -- get a firewall.

 tluxt> If you live in an isolated very small town, where everyone is
 tluxt> friends and everyone knows everyone, you might leave the door
 tluxt> of your house unlocked all the time.

	like, have telnetd running and no firewall.

 tluxt> But, if you lived in a big city, you could quickly loose
 tluxt> valueable things if you did that.  So, in a big city, by
 tluxt> default, you lock your door.

	Yes. But my pantry is locked away from the kitchen, and my
 spouse is not locked out of my dresser.

	manoj
-- 
 Do not underestimate the value of print statements for debugging.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

References:
- Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
  - From: <tluxt2@yahoo.com>

Prev by Date: To Promote Your Business
Next by Date: Bug#135789: ITP: preferences -- GNUstep Preferences.app
Previous by thread: Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
Next by thread: Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?
Index(es):
- Date
- Thread