marchany@vtserf.cc.vt.edu (Randy Marchany) (06/25/91)
In article <JBW.91Jun24214900@maverick.uswest.com> jbw@maverick.uswest.com (Joe Wells) writes: > Any useful security effort requires the cooperation and tolerance of the > administrator (or his boss...or her boss...or SOMEBODY in the chain). And > my comments were intended to encourage that cooperation where it can reasonably > be achieved. If the cooperation of administration cannot be achieved then > ANY ideas are useless. > >No, actually, the people responsible for the non-cooperation (ie. the >system administrators) should be disciplined. After all, they are being >payed to do their job. > So the only really rational choices are: > 2. Get permission to poke at security. Go through as many levels > as necessary to do so. >The user already had permission (as all users on this system do by >default) to access publically accessible directories and files. > 3. Poke at security and accept the consequences if caught. >Hmm, accept the consequences of doing something he has already been >granted permission to do, sounds funny. Having not paid a lot of attention to this particular discussion, I was just wondering what the WRITTEN policy at this site looks like. Does this site have a written policy at all? If not, then it seems the "administration" is leaving itself open to subjective interpretations of what is considered "acceptable/ethical behaviour". If there is a STATED policy on what is considered "proper" access of files, users running their own "security checks", etc. and if the user has followed those guidelines, then I can see Mr.Wells' point. If the STATED policy forbids such actions, then there is no discussion as to who is wrong in this case. If there is NO written policy, then there should be in order to avoid the particular dilemma described here. Again, get a policy WRITTEN down, get the users to affirm that they agree to abide by the policy and that's it. A simple section stating something like: Users are not allowed to perform "security checks" of their own without notifying a system administrator PRIOR to the action. Files that have world-read access granted can be read by any legitimate user of the system. in the overall policy statement would prevent the kind of name calling that is destructive to a workable computing environment. -Randy Marchany Va Tech Computing Center Internet: marchany@vtserf.cc.vt.edu
jbw@maverick.uswest.com (Joe Wells) (06/25/91)
In article <FWP1.91Jun20224943@Jester.CC.MsState.Edu> fwp1@CC.MsState.Edu (Frank Peters) writes: > If both efforts fail then he should take the issue of security up with the > administrator's superior. If all of these efforts fail then your post might > have relevance. : On 21 Jun 91 03:21:01 GMT, jbw@maverick.uswest.com (Joe Wells) said: > Two possibilities here: > 1) Mr. Foo goes to the sysadmin's superior without a COPS report in hand. > The sysadmin's superior laughs at Mr. Foo because he/she has full > confidence that the sysadmin has taken security well in hand. > 2) Mr. Foo goes to the sysadmin's superior and demonstrates that there are > serious security problems by displaying the COPS report. Mr. Foo is > then immediately kicked off the system as a "security threat". > Unfortunately, your suggestion doesn't work. Well, if nobody in the chain of responsibility is willing to discuss the issue rationally with you then you really don't have any choice but to accept the situation or find another system. Any thing you do in this direction becomes pointless in the face of an administration that won't be reasonable. So a student, who is paying well over ten thousand dollars a year to have access to university equipment is supposed to simply go elsewhere? When there is only one machine on which he is authorized to have an account? So after spending $10000+ per year, he's supposed to buy his own computer + necessary software on top of that while the other students get to use the university's computer? (Actually, the C.S. department has been struggling for years to gain complete administrative control of its own computers. Its own money is tied up in a central computing office and it doesn't have enough extra money like Chemistry and Physics to simply tell the central computing guys to take a hike.) Any useful security effort requires the cooperation and tolerance of the administrator (or his boss...or her boss...or SOMEBODY in the chain). And my comments were intended to encourage that cooperation where it can reasonably be achieved. If the cooperation of administration cannot be achieved then ANY ideas are useless. No, actually, the people responsible for the non-cooperation (ie. the system administrators) should be disciplined. After all, they are being payed to do their job. > In my experience, most administrators don't mind security conscious users. > What they generally do mind is finding users who are 'evaluating' the system's > security without prior consultation. > You mean they mind users embarrasing them by showing that they aren't > doing their job? How on earth did you reach that interpretation?? I was using the phrase "you mean" rather loosely here. I'm sorry for implying that I thought that was *your* real meaning. What I meant was that was *the* real meaning (in my opinion of course!), regardless of what you claimed it was. What they mind (the reasonable ones...the only ones worth discussing) is finding people poking at their security without any way of knowing whether they are innocently testing or cracking. You seem to be taking the attitude that users should not be allowed to look at publically accessible files (which is all our "Mr. Foo" did). If he wasn't allowed to do that, then why were the permissions on the directories set so as to let him inspect the files' permissions? Hypothetically speaking, if the user does not in fact have "permission" to look at files he has "permission" to look at, then where is the list identifying which files he is allowed to access? In fact, the users on the system in question are authorized to access files according to their permissions. No sane system administrator is convinced of the security of his or her system no matter how much time s/he spends on it. There is always the possibility of that one missed hole. So any sane administrator MUST be concerned about all unauthorized prodding of the systems security. In the case we are discussing, the so-called "prodding" was authorized. The user did not in any way subvert security. He applied the Unix stat system call to files that are publically "stat"-able on normal Unix systems. So the only really rational choices are: 1. Accept that the administrator knows how to manage security. Unfortunately false, in this case. 2. Get permission to poke at security. Go through as many levels as necessary to do so. The user already had permission (as all users on this system do by default) to access publically accessible directories and files. 3. Poke at security and accept the consequences if caught. Hmm, accept the consequences of doing something he has already been granted permission to do, sounds funny. 4. Use the system but don't trust its security (don't put critical files on the system and so on). Wise. 5. Abandon the system and find computing resources elsewhere. Expensive, especially when he's already paying through the nose for access to the system. I really cannot see any meaningful alternatives outside of these. And insulting administrators or users isn't going to create any. The user in question did not insult anyone. His communications regarding the security holes were most polite. -- Joe Wells <jbw@uswest.com>
jbw@maverick.uswest.com (Joe Wells) (06/25/91)
In article <1948@vtserf.cc.vt.edu> marchany@vtserf.cc.vt.edu (Randy Marchany) writes:
Really now. This whole issue has gone far enough. There is NO problem
with users "checking" system security IF they advise the sysadmin BEFORE
they do it AND, I repeat, AND it is permissible under the site's
existing policy.
So users on a Unix system are not allowed to apply the Unix "stat" system
call to files which are normally reachable via the "stat" system call.
And the "read" system call to files which are normally accessible via the
"read" system call. Bizarre!
The IETF working group on Site Security Policies specifically mentions
that individual sites need to make a decision on how to handle "tiger
teams" (after all, this is really what this particular discussion has
been about... a tiger team of 1).
A tiger team of 1 employing the *dangerous* "stat" and "read" system
calls. Scary! :-) :-) :-)
--
Joe Wells <jbw@uswest.com>