Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate

Re: Security hole

Ed Casas (edc@cce.com)
Sat, 30 Mar 1996 08:21:19 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Neil K. Guy: "Perl and UNIX wizards sought"
Previous message: George Cserenyi: "Security hole"

> Here's the key: "files that the user owns"
> ...
> Create a new user account, with the bare minimum permissions
> for the account to be active. Make sure it has a different gid
> than your normal login. To bring up Netscape, rlogin as that
> user, and then run Netscape. The browser process will be owned
> by this dummy user, who has no write permissions anywhere in
> your filesystem. So the Java applet can do whatever it wants,
> and the most it'll do is wipe the virtually-empty home
> directory of the dummy user.

This is *not* a good idea.

Your system almost certainly has programs that can be exploited
by a regular user, even a "nobody" (-2) user, to obtain root
access and/or do extensive damage.

A good rule of thumb for UNIX systems is to assume that if a user
can run their own code they can obtain root privileges.

If you absolutely need to use Java you might consider putting a
chroot(2) wrapper around the whole thing.

-- 
Ed Casas (edc@cce.com)

Next message: Neil K. Guy: "Perl and UNIX wizards sought"
Previous message: George Cserenyi: "Security hole"