Re: High ranking lusers

[carson () tla org]

> > > > > "Anonymous" == Anonymous  <remailer () htp org> writes:

Anonymous> Little Boss:  The Big Boss wants a shell script to be setuid root.

Anonymous> Me:  Why ? [Thinks: Gotta get an alternative to that!
Anonymous>             He's probably only just heard of setuid bits.]

Anonymous> LB: He wants his scripts to use ftp, and ftp can only be run by root,
Anonymous>            (because security dept believe in client-side access control)
Anonymous>     and he already has a shell script wrapper to call ftp for some reason,
Anonymous>     so now he wants it to be setuid root.

Anonymous> Me: There are loads of problems with setuid scripts.
Anonymous>     [Any introductory book says so.  How can I be diplomatic about this?
Anonymous>      So is the boss happier to keep the letter of the S.D. law, while
Anonymous>      breaking the spirit?  Can we get this user added as 'can also ftp'?
Anonymous>      Why don't they leave things alone until they have time to install
Anonymous>      a good transfer program with OTP or better?]


Anonymous> LB: He wants it soon, and he's going to call it 'secure_ftp'.

Anonymous> Me: <silence>  [What excuse would Dilbert invent?]

1) If you think only allowing root to run FTP will stop anything, you're
either confused or running in a amazingly draconian environment where users
can't create executeable programs.

2) Setuid shell scripts (at least /bin/sh ones) are secure in many modern
operating systems, such as Solaris 2.x, thanks to /dev/fd

3) If (1) and (2) fail to make you modify your policy, you can always make
him code a setuid wrapper in C, instead of shell.

-- 
Carson Gaspar -- carson () cs columbia edu carson () tla org carson () cugc org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body