RE: permission

From: Curt Rozeboom (ntguru@fattony.net)
Date: 02/08/03

  • Next message: Ronald C. Williams: "RE: Annoying virus being mailed to me" 
    From: "Curt Rozeboom" <ntguru@fattony.net>
To: <security-basics@securityfocus.com>
Date: Fri, 7 Feb 2003 20:05:50 -0600

    Never Never Never Never EVER give access like that to the root of ANY drive.

    Unless you WANT something to go wrong with your system!

    Make your programmers do it correctly and program it to function under the
    correct security guidelines; they are after all "programmers". If you allow
    a script to access the Root of the drive with a "guest" acct, you are
    opening up your system to all scripts, such as scripts that are targeted
    towards the %systemroot%. Once that permission is set, you might just as
    well just put a link on your web page inviting everyone to crash it, since
    that is what you are in effect doing.

    Curt
    Consultant/Trainer

    -----Original Message-----
    From: Kenzo [mailto:kenzo_chin@hotmail.com]
    Sent: Friday, February 07, 2003 1:47 PM
    To: security-basics@securityfocus.com
    Subject: permission

    OK, I need some input from you guys on this.
    Our webmaster seems to think that giving the guest internet user read access
    to the C drive is OK as long as you don't set IIS to list content and other
    stuff that I don't understand, since I don't know anything about running a
    website.
    I told him that by doing so, most subfolders will also take that permission,
    so if someone that knows what they're doing could compromise that account,
    they would have read access to almost the whole C drive.
    the box is a win2k server with IIS5. I believe he wants to do this for some
    error checking for a C or java program.
    The program suppose to check to make sure that the drive has enought space
    before it starts writing or copying things and for that it needs read access
    to the C drive.
    To me, even thought I don't know anything about programing and webhosting,
    it doesn't look right from the security point of view.

    Please give me some input on this if it's OK or not and why, so that I can
    tell him yes it's OK or NO it's not OK because of this and that.

    Thanks.

    Relevant Pages

    • Re: user permission problems
      ... Subject: user permission problems ... Note you should put any commands in a shell script so asroot can execute it with root perms, and you can add sanity tests to prevent things like ... add root and the special scripts like "kill_it' to the users that will use the scripts. ... I would assume the symlink is done from another restricted dir, such as a support dir owned by the support login, and only RW perms for the owner. ...
      (comp.unix.sco.misc)
    • Re: user permission problems
      ... able to give permission to other users to do various tasks on the ... such as kill users and add and remove users and printers. ... Note you should put any commands in a shell script so asroot can execute it with root perms, and you can add sanity tests to prevent things like ... add root and the special scripts like "kill_it' to the users that will use the scripts. ...
      (comp.unix.sco.misc)
    • SUMMARY and apology Re: Some bash/tty questions
      ... Some people tend to create complex login scripts ... If you don't allow direct login to root, but rather su to root, then so ... Hi, not to bash down on bash, but perhaps you should try zsh, it has the shared history thing built in. ...
      (SunManagers)
    • RE: Does Scandisk MSG indicate Hardware, Application, or OS Issue? - R
      ... it is hard to find the root cause since the problem disappeared ... Based on my research, there are several reasons why the tab is missing, ... permission on the registry key ...
      (microsoft.public.windows.file_system)
    • Re: Of mice and men
      ... However, being able to change the permission of a file does depend on who owns the file, and what permissions they have given to others over that file. ... You may have installed something as "root" that enables the program to "execute" as root. ... A server is part of the OS, not an standard application run by a user. ... admin account....but this could also be done in Windows etc etc....people just view windows as a "home" OS and most "home" users just don't want to deal with the fact that there are more than one way to protect yourself. ...
      (comp.lang.cobol)