>>>>> "Anonymous" == Anonymous <remailerat_private> writes: Anonymous> Little Boss: The Big Boss wants a shell script to be setuid root. Anonymous> Me: Why ? [Thinks: Gotta get an alternative to that! Anonymous> He's probably only just heard of setuid bits.] Anonymous> LB: He wants his scripts to use ftp, and ftp can only be run by root, Anonymous> (because security dept believe in client-side access control) Anonymous> and he already has a shell script wrapper to call ftp for some reason, Anonymous> so now he wants it to be setuid root. Anonymous> Me: There are loads of problems with setuid scripts. Anonymous> [Any introductory book says so. How can I be diplomatic about this? Anonymous> So is the boss happier to keep the letter of the S.D. law, while Anonymous> breaking the spirit? Can we get this user added as 'can also ftp'? Anonymous> Why don't they leave things alone until they have time to install Anonymous> a good transfer program with OTP or better?] Anonymous> LB: He wants it soon, and he's going to call it 'secure_ftp'. Anonymous> Me: <silence> [What excuse would Dilbert invent?] 1) If you think only allowing root to run FTP will stop anything, you're either confused or running in a amazingly draconian environment where users can't create executeable programs. 2) Setuid shell scripts (at least /bin/sh ones) are secure in many modern operating systems, such as Solaris 2.x, thanks to /dev/fd 3) If (1) and (2) fail to make you modify your policy, you can always make him code a setuid wrapper in C, instead of shell. -- Carson Gaspar -- carsonat_private carsonat_private carsonat_private http://www.cs.columbia.edu/~carson/home.html Queen Trapped in a Butch Body
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:16 PDT