[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Loosening file checks--a good idea?



On Sun, May 19, 2002 at 11:36:11AM -0400, Sam Hartman wrote:
> >>>>> "Theodore" == Theodore Ts'o <tytso@MIT.EDU> writes:
> 
>     Theodore> My recommendation would be to control the behaviour
>     Theodore> based on a module-arguments in the pam.conf/pam.d entry.
>     Theodore> I'd also make the default be to not follow symlinks,
>     Theodore> since it could potentially cause a security exposure
>     Theodore> (even in the pam_listfile case), so it should be one of
> 
> How do you have a security exposure with symlinks in this case?
> 
> Also, I tend to disagree that at least for the case of pam_listfile
> 
> having an option to control the behavior is appropriate.  Either
> you're willing to trust the administrator or you are not.

I haven't checked pam_listfile, but if it's not checking the write
permissions and ownerships of the file and of the containing
directory, you're right, there's not much point.  I'd argue, though,
that's it's worthwhile to add such sanity checks.

I view checks like this as safety-mechanisms that prevent a lawnmower
blade from spinning if the lawnmower is lifted off the ground.  It
turns out that people were trying to use a lawnmover to trim hedges,
losing their grip and dropping the lawnmower, and losing a foot in the
process.  A few lawsuits later, manufacturers elected to improve the
product by adding these safety checks.  Now, one could argue that
people who are stupid enough to try to trim hedges with their
lawnmowers deserve what they get, and this is "evolution in action",
but (a) you generally can't catch them before they breed, and (b)
losing a foot doesn't stop them from breeding (it would be different
if they dropped the lawnmower on a different part of their anatomy,
but that doesn't tend to happen :-), and (c) just simply costs society
money in terms of supporting the idiots who can no longer work.

In any case, given the average intelligence of the average Linux
administrator, the more safety checks we can add, the better.  The
bottom line is no, I don't trust the administrator, and so being able
to force them to read the (F******) man page to find out how to
disable the safety check is a good thing.

						- Ted





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []