[16205] in bugtraq
Re: reporting local security problems for WinNT (Re: Escalation
daemon@ATHENA.MIT.EDU (Tom Perrine)
Sat Aug 12 00:07:02 2000
Message-Id: <200008102317.QAA20689@lart>
Date: Thu, 10 Aug 2000 16:17:56 -0700
Reply-To: Tom Perrine <tep@SDSC.EDU>
From: Tom Perrine <tep@SDSC.EDU>
X-To: wcolburn@NMT.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000810094911.A9411@nmt.edu> (wcolburn@NMT.EDU)
>>>>> On Thu, 10 Aug 2000 09:49:11 -0600, "William D. Colburn (aka Schlake)" <wcolburn@NMT.EDU> said:
William> Checking permissions at install time isn't sufficient. They may change
William> later, and never be caught. The program should verify the integrity of
William> the system as often as possible. Sendmail does a really good job of
William> checking permissions on everything every time it does something. It may
William> slow things down some, but it also finds problems when they happen.
This is what cfengine is all about. Your infrastructure "heals"
itself ever time cfengine runs.
William> As an example, I'll use the /etc directory on my mail server. Someone
William> here wanted to edit something without having to su to root each time, so
William> he chmodded /etc to be group writable and owned by our staff group.
William> Sendmail complained so I chowned/chmodded it to make it safe. Some time
William> later he noticed this had happened and chowned/chmodded it back. Right
William> away sendmail figured this out, and started complaining again. If
William> sendmail had only checked at installation time this could have been
William> broken for a long time. As it was, it was only that way for a very
William> short time until I noticed.
Cfengine can do this for any file for which you have specified the
owner, group, permissions and/or contents.
I wouldn't kill, but I'd hurt someone Real Bad for a cfengine for
Windows with a registry editor....
--tep
