[958] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: Fwd: [linux-security] security idea

daemon@ATHENA.MIT.EDU (Daniel Roedding)
Thu Jul 25 14:57:38 1996

To: iang@cs.berkeley.edu (Ian Goldberg)
Date: Thu, 25 Jul 1996 09:50:45 +0200 (MDT)
From: "Daniel Roedding" <daniel@fiction.pb.owl.de>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <4t3dk5$a4k@abraham.cs.berkeley.edu> from "Ian Goldberg" at Jul 23, 96 01:44:53 pm

-----BEGIN PGP SIGNED MESSAGE-----

Ian Goldberg wrote:

> In /etc/group:

>  lusers::6969:lightman,mitnick

> Your programs:

>  -r-s---r-x   1 root     lusers       9397 Aug  8  1995 /usr/bin/traceroute

> (Make sure your "newgrp" program doesn't drop your supplementary groups...)

I'm not quite sure if all Linux versions handle this properly, but
certainly many "commercial" Unix boxes won't, because they first
check the "world" access rights and then "add" group specific ones.
So you can use group specific access rights only to give members
of a certain group *more* rights than the rest of the world, but
not to *exclude* them.

My personal conclusion: Even if Linux handles "group exclusions", you
probably should not use this feature if you also have to deal with
other Unix boxes. You might forget about these peculiarities some
time and dig new security holes...

Daniel

- -- 
Daniel Roedding     daniel@fiction.pb.owl.de               INTJ
Padertown City      +49-5251-541965 voice, 541334 data     http://www.owl.de

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQBVAgUBMfcnUWaWRTqP6nZNAQHJ4gIAp/hayruoWdwpx9S7YLQXBMI28jTjOzkb
aOA9pkxxCOhte47VQ4glhL9iWfBGJohoLyk8vgQsMF5Y0dgyAl5jrw==
=RiKU
-----END PGP SIGNATURE-----

home help back first fref pref prev next nref lref last post