setperms on linux

Fairlight fairlite at fairlite.com
Thu Apr 13 14:47:03 PDT 2006 

On Thu, Apr 13, 2006 at 10:40:37AM -0700, Bill Campbell, the prominent pundit,
witicized:
> On Thu, Apr 13, 2006, Kenneth Brody wrote:
> >Quoting Bill Campbell (Thu, 13 Apr 2006 10:21:37 -0700):
> >[...]
> >> I think that SuSE Linux sets nosuid and noexec in /etc/fstab on any file
> >> systems that are user montable to prevent this type of abuse.
> >[...]
> >
> >You mean like "I have a Linux box at home, so I'll just make a root
> >setuid executable there, put it on a CD, and bring it to work"?
> 
> Exactly!

If you could only take one executable, what would you take?  An editor like
vim, I should think, specifically set to suid root.

Imagine the hell one could raise.  You can render a system completely
inoperable in 5 seconds with the change of one byte--without changing the
MBR.

Actually...why think small?  Take a shell that doesn't drop euid.  You have
the run of the entire system including -all- utilities.  Imagine someone
coming in and deleting all partitions with fdisk.

> BTW:  One of the strongest arguments for thin clients with *NO* removable
> media is to prevent this type of thing, and to prevent employees from
> running off with company assets.  One of our clients had a husband and wife
> working for them.  When one of them was fired, the other, who worked in
> ``human resources'', took quite a bit of personnel data home with here from
> her Windows machine at work.

Cute.

Of course...[OB: fP] Was the 0666 mode for export files changed in 5.6?
I haven't had a client implement it live yet, but the data interception
abilities there are truely frightening depending what's being exported.
Granted, a developer -can- system() a chmod() after export, but that
still leaves a race condition period in which you could try and get it if
you know it's coming, and I can pretty accurately say that nobody I've
ever worked with to my memory has bothered to implement it even when
notified repeatedly about the risks involved.  Actually, most developers
seem to leave exported files around until overwrite or at least for an
indeterminate and extended period of time (months), so you don't exactly
have to race, usually.  This really wanted fixing.  Maybe it's fixed in
5.6, I dunno.  I'm asking.

Back to the other half of the post though...

People often don't consider physical security though.  If you can get to
the physical console, you can do anything you want in the couple minutes it
takes to reboot to single-user.  Of course, you could just swipe the hard
drive and take it with you, as well. :) To their credit, I know several
clients that have specifically moved things to secure server rooms--and
some that started that way.  Not everyone ignores physical security, but a
vast majority of people seem to.  The US military certainly seems to.  Just
last night I was reading about Afghan merchants selling flash RAM and thumb
drives stolen from a US base.  The market they were selling them in is 200
yards from the base.  Four generals' SSN's were on one memory device, right
next to their names.  How's that for ignoring physical security?

mark->

More information about the Filepro-list mailing list