[8788] in bugtraq
Re: Why you should avoid world-writable directories
daemon@ATHENA.MIT.EDU (Nick Maclaren)
Wed Dec 23 14:40:32 1998
Date: Tue, 22 Dec 1998 21:44:26 +0100
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Nick Maclaren <nmm1@CUS.CAM.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Gonzo Granzeau <gonzo@IRONMAN.PLANETQUAKE.COM> writes:
>
> What's really funny is how often programs with 'secure' in the title usually
> have a few more security problems than normal... `8r)
I agree that it is amusing, in a cynical sort of way. My experience is
that it is almost certainly because the authors (and I am NOT casting
stones at any particular person here) miss the fundamental rule:
The security of a program should be measured by how it is used,
and not how it is written.
Most people will have installed a new, high-security feature only to
discover that they have actually reduced security, because they didn't
have time to study the complete documentation or misunderstood it.
For example, hands up everyone who has gone around removing the setuid
bit, and included xterm :-(
The user interface AND CHECKING FOR USER ERRORS are as much part of
the security of a program as the way that it manipulates privileges.
But regrettably few programmers think that it is their business to
protect hassled and tired system administrators from their own (often
stupid) mistakes.
Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
Email: nmm1@cam.ac.uk
Tel.: +44 1223 334761 Fax: +44 1223 334679