Reducing browser privileges! - Page 4
Page 4 of 4 FirstFirst ... 234
Results 31 to 38 of 38

Thread: Reducing browser privileges!

  1. #31
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    What would you call an account that has access to things not granted to it by the access control policy?
    I would call that a contradiction in terms, and a straw man.
    On my own PC, I write the goddamn access control
    policy, and I am root. You got a problem with that?
    No? Then STFU.
    I came in to the world with nothing. I still have most of it.

  2. #32
    Banned
    Join Date
    May 2003
    Posts
    1,004
    You write the use policy, the developers write the system policy. You merely configure the system policy to ideally be in line with the use policy.

    At the end of the day you have a policy of access controls... and then an account that completely voids that policy. Not sure why you have difficulty in grasping that fact... but then you have a problem grasping many facts...

    cheers,

    catch

  3. #33
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    What penance must I do, oh great one?
    I came in to the world with nothing. I still have most of it.

  4. #34
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Every morning look into the mirror and repeat:

    Reference monitors are good enough,
    Reference monitors are smart enough,
    Doggone it people like reference monitors.

    twenty times or so until you really believe it.

    cheers,

    catch

  5. #35
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by catch
    SUSE isn't bad either.

    And gore... at 16, your cousin needs to learn to shut his mouth and open his mind. I think we can all agree how clueless we were at 16.
    Heheheheheheheheheheheh say it more often catch

    And yea, he's 16 and in high school so he's learning from me he isn't right all the time, and I make sure and tell him his freinds are idiots weekly.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  6. #36
    Senior Member
    Join Date
    Nov 2005
    Posts
    115
    As opposed to normal users who all have the same privilieges and then a superuser account that doesn't even use permissions.
    Root undergoes no privilege or permission checks.
    Super user does use permissions but then will allow override if directly specified... had plenty of moments like these editing the hosts file...

    I asked "So how will groups help you set up directory that allows a user to delete files, but not subdirectories while allowing the user to create subdirectories (with a predefined set of rights different than the original directory) but not new files and disallows the user to execute files or traverse the directory and allowing them to read file attributes but not read file security settings?"
    Very interesting example... Is this a real world example?

  7. #37
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Super user does use permissions but then will allow override if directly specified
    Not true... it does not do a permission check... observe:

    Code:
    [root@luna doc_root]# uname -a 
    Linux luna.xxxxxx.xxx 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
    
    [root@luna doc_root]# ls -l test
    -rwx------    1 apache   apache          2 Dec  4 10:54 test
    
    [root@luna doc_root]# vi test
    *** change the contents of test from "1234" to "23456" ***
    *** No errors or warnings are issued ***
    
    [root@luna doc_root]# ls -l test
    -rwx------    1 apache   apache          3 Dec  4 10:57 test
    Root is able to alter files which it has no specified rights to, since UNIX uses a default deny model... clearly no check has been done.

    Is this a real world example?
    Yes, one of the operators at more former employer had rights like this... useful for deleting files that other users were not allowed to delete regarding various aspects of application development, etc (when they deleted these files they went to this directory) the operator would create new subdirs for different projects or points of deletion.

    cheers,

    catch

  8. #38
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    bumped

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides