Re: some reality about iptables, please

From: Colin Watson (cjwatson_at_debian.org)
Date: 08/28/03

  • Next message: Colin Watson: "Re: OT: Why is C so popular?" 
    Date: Thu, 28 Aug 2003 10:27:34 +0100
To: Debian-User List <debian-user@lists.debian.org>

    On Wed, Aug 27, 2003 at 09:13:51PM -0600, Jacob Anawalt wrote:
    > Bret Comstock Waldow wrote:
    > >On Wed, 2003-08-27 at 00:39, Kevin Mark wrote:
    > >>the script can not be accessed by anyone. it can only be called inside
    > >>the script which can only be run by a root user. So it doesnt see to be
    > >>security concern (but I'm not a security expert -- will the local guru
    > >>commment)
    > >
    > >I'll be interested to hear it too. In theory, there must be some reason
    > >it was put in the script in the first place...
    >
    > On my system the init.d scripts are o+rx, so anyone can read and execute
    > them, so the script itself doesn't provide protection. I didn't change
    > anything so I must assume this is the debian unstable default for
    > /etc/init.d/ scripts. The commands the script tries to execute,
    > iptables, iptables-save, iptables-root will not work from a normal user
    > account.

    Yes. If you think about it: there's no point making the script
    unreadable by default, because anyone can download it from the Debian
    archive and read it there. Since it isn't set-id, there's no point not
    making it executable either, because anyone can just read it and execute
    the same commands from an interactive shell. If iptables worked as a
    non-root user, the security problem would be there, not in the calling
    script.

    In general I don't believe that there's ever any point making non-set-id
    scripts unreadable or unexecutable, except when they contain sensitive
    data. 

    -- 
Colin Watson                                  [cjwatson@flatline.org.uk]
-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Colin Watson: "Re: OT: Why is C so popular?"

    Relevant Pages

    • Re: Will Linux become as vulnerable as MS ??
      ... > beeing vulnerable to viruses. ... > that they know are executable, and execute intentionally. ... >> Linux, each distro is a little different, and even within the distro, ... > Since clicking on a script is easier than typing it's name, ...
      (comp.os.linux.security)
    • Re: [Full-Disclosure] ColdFusion cross-site scripting security vulnerability of an error page
      ... > execute the arbitrary javascript and HTML code which the attacker ... > It is possible to display the contents transmitted from the client ... > cross-site scripting attack can be executed. ... the script will be executed when the script for an attack ...
      (Full-Disclosure)
    • CGIscript.net - csMailto.cgi - Remote Command Execution
      ... CGIscript.net - csMailto.cgi - Remote Command ... csMailto is a perl cgi formmail script developed by ... execute command on server and mail output to anyone ...
      (Bugtraq)
    • Re: Extracting data from an XML to put into a constant
      ... ExecuteGlobal "Const cnUB = 9" ... The following script causes the same error. ... Ordinary variables and constants defined with execute statements have ... no value until their defining statement is executed at run time. ...
      (microsoft.public.scripting.vbscript)
    • Re: HTTPContext Session and worker thread (Fire and Forget)
      ... Once the page is loaded on the client side, make the request via script ... To kick of the job you insert record into tblJobs with MessageIn having ... not execute job cause it was grabbed by other pooling thread between step 1 ...
      (microsoft.public.dotnet.framework.aspnet)