Firewall Wizards mailing list archives

Re: High ranking lusers

From: Bennett Todd <bet () rahul net>
Date: Thu, 16 Apr 1998 07:58:31 -0700

Little Boss:  The Big Boss wants a shell script to be setuid root.


If you're fighting that kind of brushfire, you're in full retreat, and
losing.

No point in even trying to tackle these head-on.

Instead, you need to get the security policy started. This would be a
fine place. Open with a section that gives the reason for the security
policy: that the organization has resources (information, tools for
manipulating it) that need to be protected from accidental and
deliberate damage and compromise. Then start a sub-section that
discusses programming risks. Since this case is motivating the effort,
introduce a sub-sub-section on setuid programming issues (Henry
Spencer's notes on setuid programming might be a good reference).

Then go back up and start rounding out the narrow and deep start, to
cover related issues, then spread out into other major topics of
security policy --- access control, software licensing, internet access
control, etc. Check out the RFC on security policy writing, any other
online resources you can find....

A few weeks or a month later, depending on how fast you read and type,
circulate the first rough draft by anyone else you work with who has a
security clue. Incorporate their changes, and with their permission list
them as co-authors. Then run the resulting draft by your immediate boss.

Trying to do security administration without a policy is a fruitless
battle.

As the policy is evolving, always examine --- and try to document in the
document --- the benefits of the risky practice in question (i.e. the
costs of finding safer ways to achieve the same end), the costs of the
security problem (easy insider root access, difficult insider root
access, difficult outsider root access, easy outsider root access) and
justify the proposed policy in terms of costs and benefits. That
language motivates management --- as it should.

Unless of course they're hopelessly and irreparable dain-brammaged, in
which case you should be tooling up your resume.

-Bennett

Current thread:

High ranking lusers Anonymous (Apr 16)
- Re: High ranking lusers Paul D. Robertson (Apr 17)
- Re: High ranking lusers Bennett Todd (Apr 17)
- Re: High ranking lusers carson (Apr 17)
  - Re: High ranking lusers Henry Hertz Hobbit (Apr 19)
    - Re: High ranking lusers carson (Apr 19)
    - Re: High ranking lusers Chip Christian (Apr 20)
    - Re: High ranking lusers Henry Hertz Hobbit (Apr 20)
- Re: High ranking lusers Rick Smith (Apr 17)
- <Possible follow-ups>
- Re: High ranking lusers David Collier-Brown (Apr 21)