[BBLISA] Appreciate the help...

Edward Ned Harvey bblisa2 at nedharvey.com
Sat Jan 26 09:24:36 EST 2008 

I think the only thing perplexing about this question is the fact that
you're actually trying to do it.  ;-)  I think most admins won't bother
preventing a user from running any random commands that they have permission
to run; instead I think most admins (including myself) apply permissions
that are sufficiently restrictive, and the defaults are generally pretty
good.

The way I prevent this problem is to assign umask 007 to every user.  Set
the permissions correctly one time ala chmod -R o-rwx, and never worry about
world writable ever again.  Sure some weird user might change his umask or
explicitly make something world writable and then add something in that area
to his crontab.  And then if some malicious person discovered and exploited
it to execute commands as janeuser instead of joeuser, I think the risk is
so low, and the steps to create it would be so colossally dumb, I'm just not
worried about it.

Then again, all my servers are in a protected internal network.

I think except for the most extreme cases of
server-is-facing-internet-and-customers-use-ssh-to-login, it's an unusual
level of paranoia.




> -----Original Message-----
> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of Scott Ehrlich
> Sent: Wednesday, January 23, 2008 10:12 PM
> To: bblisa at bblisa.org
> Subject: [BBLISA] Appreciate the help...
> 
> I received some interesting answers to my cron question.  Most people
> said it
> was not possible.  One person reviewed cron's source code and said the
> source
> would need to be modified.  One person said I should mount the
> filesystem with
> noexec.   I'll review and test the answers as best I can.
> 
> To answer several people's curiosities of why I keep pushing - when I'm
> tasked
> with a quest, I try to tap all my resources, including this list, to
> find a
> solution.  One never knows when an answer might be obvious, or
> perplexing, as
> this question seems to have been.   To some, an answer is obvious.  To
> others,
> it is perplexing.   It all depends on each person's level of knowledge.
> The
> more one learns, the more things can become more obvious.  Thus, we
> grow.
> 
> In the end, like now, I try to provide my findings, and, if valid, may
> be of
> benefit to others.
> 
> I try not to wear out the list, but do what the list was created for -
> discussion and inquiry of UNIX and related topics.   This question
> proved to
> test people's knowledge, and I did get some good feedback.
> 
> Thanks to all, and until the next adventure...
> 
> Scott
> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa

More information about the bblisa mailing list