Re: SECURITY PROBLEM OR NOT

From: phn@icke-reklam.ipsec.nu
Date: 11/27/02


From: phn@icke-reklam.ipsec.nu
Date: Wed, 27 Nov 2002 11:43:41 +0000 (UTC)

Michel De Rouck <michel.de-rouck@steria.be> wrote:
> *** post for FREE via your newsreader at post.newsfeed.com ***

> I know this is the way it works on some UNIX flavours ( I don't know if
> ALL off them have the same problem)
> I could find solutions to work arround this problem ....
> But my question remains , is there someone who could confirm that this
> is not a security breach against C2
> security certification ?
> If not , could someone explain why it is not against C2 security ??

Security-aware programmers don't use environmental and process arguments.
On some unices you can also "clear them out" , there will be a short
instance where they are visible.

So this is a "well-known" effect of how un*x works. Nothing new here.

Restricting access to "other processes" is possible, but is not
giving any real security.

Restricting a users possibility to execute anything but a limited
list of applications will give a much better security. ( man chroot, jail)

-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.


Relevant Pages

  • Re: Security by hiding processes
    ... > raised of increasing security on a Linux server by not allowing users ... > Suggestions like restricting access to /proc were named, ... It's my conviction that an application that requires the /proc file system ... This is not obscurity. ...
    (Focus-Linux)
  • Re: hacked?
    ... Tim Haynes wrote: ... >> security? ... I go one better: don't install things at ... compiler technology for you architecture - so restricting access to gcc is ...
    (comp.os.linux.security)
  • Re: How to protect different cells by diff. passwords?
    ... security and restricting access is much better to do. ... Dnereb ... Dnereb's Profile: http://www.excelforum.com/member.php?action=getinfo&userid=26182 ...
    (microsoft.public.excel.worksheet.functions)
  • Security by hiding processes
    ... raised of increasing security on a Linux server by not allowing users ... to view process listings. ... Suggestions like restricting access to /proc were named, ... Personally I'm a bit sceptic towards this kind of security through ...
    (Focus-Linux)
  • Re: These security flaws are roasting Microsoft alive
    ... Security firms are just as likely to harm you as help you ... How can we expect any real security from ... incurring the extra cost of doing this in a market which apparently doesn't ... we have to follow to maintain our warranty similar to car owners and we just ...
    (microsoft.public.security)