Secure Coding mailing list archives
Re: Re: Java sandboxing not used much
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Thu, 11 Mar 2004 21:19:36 +0000
Jared W. Robinson wrote: Complex security systems are often completely ignored. I agree, but I wouldn't stop there... The simplicity of the traditional UNIX permission model means that it is more likely to be used than abused. Well, I've seen at least one pretty spectacular exception to this. An app that I reviewed some time back had been ported (apparently from MS-DOS) to a UNIX environment. In their rush to get the port to function, the developers left the permissions at 777 (read/write/execute to all). To make matters worse, the app executables and data were in the same directory, which was also mode 777. Just goes to show you that people will find the path of least resistance even if you make things easy. As an aside, I'm curious how common it is to find mistakes like that made when porting an application from one OS to another. My bet is that the people doing the porting probably didn't design or write the original app, and that they had never worked on a UNIX system before. Setting everything 777 is sloppy, but probably cut down the number of "access denied" errors that they couldn't figure out... ;-\ Cheers, Ken van Wyk http://www.krvw.com
Current thread:
- RE: Opinion re an interesting article on Linux security in Linux Journal Nick Lothian (Mar 10)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)
- Re: Re: Java sandboxing not used much Kenneth R. van Wyk (Mar 11)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)
- Re: Re: Java sandboxing not used much Louis Solomon [SteelBytes] (Mar 15)
- Re: Re: Java sandboxing not used much Kenneth R. van Wyk (Mar 11)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)