home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!mcsun!uknet!icdoc!cc.ic.ac.uk!carrion.cc.ic.ac.uk!vulture
- From: vulture@carrion.cc.ic.ac.uk (Thomas Sippel - Dau)
- Newsgroups: comp.security.misc
- Subject: Re: root-owned world-writable files
- Message-ID: <1992Jul23.175225.11788@cc.ic.ac.uk>
- Date: 23 Jul 92 16:52:25 GMT
- References: <62524@cup.portal.com> <1992Jul21.201056.662@newshost.lanl.gov> <14htt0INNiep@hilbert.math.ksu.edu>
- Reply-To: cmaae47@cc.ic.ac.uk
- Organization: Imperial College of Science, Technology and Medicine
- Lines: 26
- Nntp-Posting-Host: cscgc
-
- In article <14htt0INNiep@hilbert.math.ksu.edu>, tar@math.ksu.edu (Tim Ramsey) writes:
- -- How do you get a complete list of files that are trusted by root, or by
- -- programs that root trusts (that is, are setuid root)?
- --
- -- Much easier to simply not have world-writable files owned by root.
-
- So does that mean we should cease to make /tmp world-writeable ?
- It certainly would induce people to stick closer to POSIX :-)
-
- Otherwise, I disagree, world writeable files are not a security problem,
- inappropriate use of information in files is the problem. It is also a
- problem that people try to deduce the contents of files from the file names.
- Unfortunately this is very deeply embedded in unix, or rather in the
- common usage that is made of unix facilities.
-
- I seems however that the management problem that the use of filename
- 'constants' (like /etc/passwd for the password file) gives people will
- be felt before the security problem.
-
- Thomas
-
- --
- *** This is the operative statement, all previous statements are inoperative.
- * email: cmaae47 @ cc.ic.ac.uk (Thomas Sippel - Dau) (uk.ac.ic.cc on Janet)
- * voice: +44 715 895 111 x4937 or 4934 (day), or +44 718 239 497 (fax)
- * snail: Imperial College Center for Computing Services, Kensington SW7 2BX
-
