info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New update to the CVS ACL patch to support user groups


From: Greg A. Woods
Subject: RE: New update to the CVS ACL patch to support user groups
Date: Wed, 25 Jul 2001 14:15:13 -0400 (EDT)

[ On Wednesday, July 25, 2001 at 12:49:13 (-0400), Noel L Yap wrote: ]
> Subject: RE: New update to the CVS ACL patch to support user groups
>
> Are you talking about file system ACL's or CVS ACL's?  If it's the former, I
> don't see how this would be possible since authorisation is done by the file
> system and you're logged in as yourself.  If it's the latter, I agree.

No, I'm talking only about filesystem ACLs.  You need to learn to think
more like a paranoid systems security auditor!  ;-)

The obvious example is if I have access to one of the programs used by
any of the CVSROOT/*info files then I can modify that program to do my
dirty work.  Since I can make my modifications only take effect when
you, for example, trigger it, I'll be able to do anything you can do
since I'll be directing your CVS invocation what to do, but hopefully
without your knowledge.  This is a basic indirect attack scenario,
similar to most any "Trojan Horse" style attack.

The direct attack approach is almost always the least likely approach an
attacker will take, and of course with filesystem ACLs "physically"
blocking the direct approach the remaining avenues of attack are through
users who are not physically blocked by the filesystem ACLs.  This type
of attack has been used for decades in the Unix environment -- it's
simply the generic form of all attacks which try to raise one's
privileges by (ab)using some tool into giving access that wasn't
authorised or intended.  The attacker simply tricks some program or user
into doing something unexpected.  There have even been a multitude of
system security scanners that used goal-based AI tools to scan systems
to look for such indirect avenues of attacks.  I even wrote one of them
once upon a time....

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]