scs@adam.pika.mit.edu (Steve Summit) (04/29/89)
In article <5947@ux.cs.man.ac.uk> dente%man.ee.els@ukacrl.BITNET (Colin Dente) writes: >In article <43200079@uicsrd.csrd.uiuc.edu> kai@uicsrd.csrd.uiuc.edu writes: >>The .netrc file is a potentially *horrible* breach of security. One of the >>first rules taught about passwords is "never write them down". >Okay - I'm fairly new to this Unix sys-admin game, so enlighten me. Just *how* >insecure is a file with mode 0X00? The problem is not so much how insecure they are, but how insecure they might be. In principle, of course, there are no security holes, and files are just as secure as their permissions indicate. One problem with files whose security can be breached just by reading them is that bugs which permit unauthorized reading are much less deadly and therefore less likely to be noticed. If there's a bug that allows unauthorized writing, the first thing somebody does is scribbles on /etc/passwd or /usr/lib/crontab, and they break in right away and hopefully you notice right away, and since this is all fairly high-profile and dangerous, people are generally very careful not to accidentally allow unauthorized write access. A bug which allows unauthorized read access, on the other hand, doesn't necessary introduce cascading security breaches at all, and can go undetected (by good guys or bad guys) for some time. This is, I'll admit, a circular argument; and quite paranoid, as it considers bugs which haven't been detected (or even perpetrated!) yet, but when you care about security it pays to be paranoid. If you really can't afford to have anybody see something (password, privileged information, etc.), don't put it in an unencrypted file, regardless of the file permissions. There are too many ways, including "out of band" ones, for files to be read. (Hint: what do your operators do with worn-out backup tapes? I've seen then dumped in wastebaskets which were placed outside the machine room door for the janitors to pick up...) Steve Summit scs@adam.pika.mit.edu