Weird situation - Security

This is a discussion on Weird situation - Security ; While I've never held a specific title of SysAdmin anywhere I've worked, I've been at least a backup and the last place I worked I was responsible for monitoring and maintaning about 10 RH boxes in addition to my regular ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Weird situation

  1. Weird situation

    While I've never held a specific title of SysAdmin anywhere I've
    worked, I've been at least a backup and the last place I worked I was
    responsible for monitoring and maintaning about 10 RH boxes in addition
    to my regular daily duties(the full time admins had about a hundred+
    AIX,RH,SCO & Sun machines a piece to take care of). Long story short,
    in this new job/position, they have their Linux boxes(SuSE 10 and 10.1)
    set up to closely resemble a windows environment and it's driving me
    crazy. They have "." in everyone's path and so all the scripts that I
    get to debug won't run on my machine because I was always told to never
    do that and have always used normal Unix/Linux pathing in Perl and
    shell scripts. so, I have to edit the scripts just to get them to run
    and then figure out what's wrong with them.

    I guess what I'm asking is other than the obvious, is there any other
    ammunition I can use to get them to understand that this is not a good
    situation?

    TIA,

    Andy C.(never #)


  2. Re: Weird situation

    Andy C.(never #) wrote:
    > While I've never held a specific title of SysAdmin anywhere I've
    > worked, I've been at least a backup and the last place I worked I was
    > responsible for monitoring and maintaning about 10 RH boxes in addition
    > to my regular daily duties(the full time admins had about a hundred+
    > AIX,RH,SCO & Sun machines a piece to take care of). Long story short,
    > in this new job/position, they have their Linux boxes(SuSE 10 and 10.1)
    > set up to closely resemble a windows environment and it's driving me
    > crazy. They have "." in everyone's path and so all the scripts that I
    > get to debug won't run on my machine because I was always told to never
    > do that and have always used normal Unix/Linux pathing in Perl and
    > shell scripts. so, I have to edit the scripts just to get them to run
    > and then figure out what's wrong with them.
    >
    > I guess what I'm asking is other than the obvious, is there any other
    > ammunition I can use to get them to understand that this is not a good
    > situation?


    Yeah, if I'm not mistaken it's a security hole. Especially if . is in
    /etc/profile or in something root might run (accidentally or not).
    Imagine if you put an input recorder in /home/me/ssh -- so that it
    collects passwords but otherwise acts like ssh. Would your IDS system
    pick this up?

  3. Re: Weird situation

    Matt Hayden wrote:

    > Yeah, if I'm not mistaken it's a security hole. Especially if . is in
    > /etc/profile or in something root might run (accidentally or not).

    Oops. What I meant was: if /etc/profile has a line setting . into PATH,
    like PATH=$PATH:/usr/local/bin:.
    not literally if /etc/profile has any line with .
    Sorry in advance for confusion.

  4. Re: Weird situation

    Matt Hayden :
    > Matt Hayden wrote:
    >
    > > Yeah, if I'm not mistaken it's a security hole. Especially if . is in
    > > /etc/profile or in something root might run (accidentally or not).

    >
    > Oops. What I meant was: if /etc/profile has a line setting . into PATH,
    > like PATH=$PATH:/usr/local/bin:.
    > not literally if /etc/profile has any line with .


    Don't use the system supplied PATH.

    echo $PATH

    Now edit to your tastes and don't use theirs. That means, no
    "PATH=$PATH..." stuff.

    btw, . is only a security problem if the . is at the beginning of
    the PATH, or it's an abysmally insecure system (crackers dropping
    binaries into user's directories). However, the fewer stupid things
    done on the box, the better, I agree.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://www.spots.ab.ca/~keeling Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
    Spammers! http://www.spots.ab.ca/~keeling/emails.html

  5. Re: Weird situation

    s. keeling wrote:
    > Matt Hayden :
    > > Matt Hayden wrote:
    > >

    > SNIP


    First, thanks for your replies. You confirm my concerns. But, wait,
    there's more:

    I noticed on one of the production boxes that there were quite a few
    "hidden" perl scripts(period first character in file name) and these
    boxes have partions that are mounted to windows machines via NFS. I
    asked one of the brain trust why they were doing that when a windows
    user can see those files because a period in the first position of the
    file name doesn't mean anything to windows explorer. The answer was
    along the lines that when someone ftp's into those boxes, they don't
    want them to see those scripts and accidentally run them. I blurted out
    "do you know what chroot does?" and then I said "Wait a minute, are you
    talking about regular old ftp?" and he said "Yeah." with a "so what"
    kind of voice. I walked away. Now, I think I need to be looking for
    another job.

    Thanks again,

    Andy C.(never #)


  6. Re: Weird situation

    On 14 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1166103989.939017.4900@79g2000cws.googlegroups.com>, Andy C.(never #) wrote:

    >s. keeling wrote:
    >> Matt Hayden :
    >>> Matt Hayden wrote:
    >>>

    >> SNIP

    >
    >First, thanks for your replies. You confirm my concerns.


    Brief explanation WHY the dot in the path is considered bad.

    UNIX is a multi-user operating system, originally run on mainframe type
    computers with the multiple users setting at dumb terminals (a display
    of some kind and a keyboard). Users are given limited access, such
    that they can't alter system binaries, configuration files, and the like.
    This access is controlled by permission masks and group ownership.

    The 'dot' in the PATH (giving direct command access to the current
    directory) is a problem where untrustworthy users have 'write' and
    'chmod' access. In the distant past, this was a bunch of students
    having access to a common directory. It was great fun to create
    a script that erases the victim's home directory. Ha, Ha, Ha. Lacking
    the dot in the PATH merely means that the prankster has to convince the
    victim to run './ls' rather than 'ls' to have the same result.

    Some feel that it's safer to have the 'dot' at the end of the PATH,
    rather than somewhere else. While this may be slightly safer, this is
    only the case if you don't make 'typ0grafical' errors. I'm sure you
    _never_ typed 'ls-l' or 'mroe' or similar, right?

    Part one of the common solution is to not have the 'dot' in the PATH.
    Another part of the solution is to type the full path to any command.
    This is especially important for users with elevated privilege, like
    root. Good training stresses that any script should set the PATH to
    explicit values - if you are paranoid, you also flush the ENVIRONMENT
    and disable aliases.

    Why does windoze default to having 'dot' in the PATH? Remember that
    windoze is at it's soul a single user, single tasking system with a
    heritage from DOS 1.0 running on a single floppy. Different philosophy
    entirely.

    >But, wait, there's more:


    If you call within the next ten minutes....

    >I noticed on one of the production boxes that there were quite a few
    >"hidden" perl scripts(period first character in file name) and these
    >boxes have partions that are mounted to windows machines via NFS. I
    >asked one of the brain trust why they were doing that when a windows
    >user can see those files because a period in the first position of the
    >file name doesn't mean anything to windows explorer. The answer was
    >along the lines that when someone ftp's into those boxes, they don't
    >want them to see those scripts and accidentally run them.


    FTP doesn't allow execution of files, unless you've jumped through
    hoops to allow a 'site exec' command.

    >I blurted out "do you know what chroot does?"


    Ummm...

    >and then I said "Wait a minute, are you talking about regular old ftp?"
    >and he said "Yeah." with a "so what" kind of voice.


    If you are comparing this to a secure shell type of file transfer, the
    difference is mainly that the authentication is passed as plain text
    over the wire. In a switched network environment, this is a lot less
    risky than the old 'party-line' style non-switched network where any
    host can sniff all of the traffic. But the question is what kind of
    FTP access? Anonymous downloads? Privileged users uploading executables?
    There is a bit of a difference in risk. What is the clientele like?
    Mischevious kids? Clueless users who have to have crib notes to find the
    power switch?

    >I walked away. Now, I think I need to be looking for another job.


    I can see your concern (and I don't disagree with it), but we're a bit
    short of the details to gauge if this is just the everyday disaster
    waiting to happen, or something where your head will roll when someone
    else screws up and mistypes something (intentionally or not).

    Old guy

  7. Re: Weird situation

    Moe Trin wrote:
    > On 14 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    > <1166103989.939017.4900@79g2000cws.googlegroups.com>, Andy C.(never #) wrote:
    >SNIP


    Thanks for reminding me of why I do so much of what I do. I think you
    have hit on something, also.

    While I was exposed to Unix in college most of my early professional
    work was on PC's with some AS/400 work mixed in. But very early on I
    got disillusioned with Dos/windoze and started looking at alternatives.
    I ordered and installed 386BSD from Dr. Dobbs and when the Linux
    distros started showing up, I bought them and tried them and watched
    them grow and mature. And on my PC's and network I was root when I
    wanted to be. And if I messed something up, I got to reinstall what I
    had broken. So, when I got to do Linux as a professional, the
    transition from the windows way of doing things to Unix/Linux was a
    breeze. In fact it was natural. But for a windows user suddenly thrust
    into Linux/Unix it must be a bit constraining.

    What would you suggest as a way of gradually moving windows users into
    a Linux/Unix network? I've used VMWare and have suggested it as a way
    to have windows users run their OS without allowing them complete
    control of a machine, but it seems a bit like overkill.

    > Old guy


    We're only as old as our kids tell us we are...

    Later,

    Andy C.(never #)


  8. Re: Weird situation

    On 14 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1166130869.168606.18470@f1g2000cwa.googlegroups.co m>, Andy C.(never #) wrote:

    alt.computer.security: 1-73223
    >While I was exposed to Unix in college most of my early professional
    >work was on PC's with some AS/400 work mixed in. But very early on I
    >got disillusioned with Dos/windoze and started looking at alternatives.
    >I ordered and installed 386BSD from Dr. Dobbs


    I knew Bill before he created 386BSD - in fact he did a bit of his early
    work on voice synthesizers in the mid 1970s on a desktop calculator
    (HP9830) in my lab. He was then an intern from UC.

    >So, when I got to do Linux as a professional, the transition from the
    >windows way of doing things to Unix/Linux was a breeze. In fact it was
    >natural. But for a windows user suddenly thrust into Linux/Unix it must
    >be a bit constraining.


    It's a whole different world. While early PC users (running DOS) had
    some similarities to a *nix, the introduction of windoze went a long way
    to break any similarities. My wife still doesn't feel as comfortable
    at the UNIX command line as she did at the DOS command line. Some of
    that is the horrendous increase in the number of commands (DOS 5 had
    68 commands - there are over 1350 in my user path, and over 1650 as
    root) but part was the dependence on clicking on some icon or a pull
    down menu to accomplish something. She got _very_ used to that.

    >What would you suggest as a way of gradually moving windows users into
    >a Linux/Unix network? I've used VMWare and have suggested it as a way
    >to have windows users run their OS without allowing them complete
    >control of a machine, but it seems a bit like overkill.


    Obviously, it's going to depend quite a bit on what those users are
    doing now. Later versions of windoze are adopting the concept of
    user verses administrator, but from where I stand, I see that most
    are resisting the idea of running with lesser privilege, apparently
    because they can't do all the things that they feel the need to do.
    How realistic this stance may be, I can't say, as I have no one
    using windoze either at home or work.

    I feel most of the move is a function of the applications that the users
    are trying to run. Is the work basically text editing? Spreadsheets?
    Databases? You probably won't find *nix applications that look/feel
    exactly like their windoze counterparts, but you probably _will_
    find ones that are close. I had a friend at Grumman who was using
    a set of programs called 'CrossoverOffice' from CodeWeaver to run
    windoze (NT, I think) applications on a Linux box. It was less
    expensive than VMWare and windoze. Are they programmers trying to
    write C, or perl, or some besotted version of hypertext? Applications
    used in that area may function identically, but will look and feel
    quite different.

    >> Old guy

    >
    >We're only as old as our kids tell us we are...


    Geez, am I in trouble.

    Old guy


  9. Re: Weird situation

    Moe Trin wrote:
    >SNIP


    > I knew Bill before he created 386BSD - in fact he did a bit of his early
    > work on voice synthesizers in the mid 1970s on a desktop calculator
    > (HP9830) in my lab. He was then an intern from UC.
    >

    I still have the cd. I don't remember if it came with X, but I remeber
    how I loved having 4 or 5 full screen console sessions runnig with
    output scrolling out and thinking why can't I do this in DOS?

    > It's a whole different world. While early PC users (running DOS) had
    > some similarities to a *nix, the introduction of windoze went a long way
    > to break any similarities. My wife still doesn't feel as comfortable
    > at the UNIX command line as she did at the DOS command line. Some of
    > that is the horrendous increase in the number of commands (DOS 5 had
    > 68 commands - there are over 1350 in my user path, and over 1650 as
    > root) but part was the dependence on clicking on some icon or a pull
    > down menu to accomplish something. She got _very_ used to that.
    >

    Yes, but that means we have more choices. More different ways to
    accomplish the same thing. Sometimes one way is not "better" than
    another, it's just different. Maybe windows users think that's wasteful
    or confusing, but I think you're more likely to be successful at
    solving a problem if you have more ways available to you to solve that
    problem.

    > I feel most of the move is a function of the applications that the users
    > are trying to run. Is the work basically text editing? Spreadsheets?
    > Databases? You probably won't find *nix applications that look/feel
    > exactly like their windoze counterparts, but you probably _will_
    > find ones that are close. I had a friend at Grumman who was using
    > a set of programs called 'CrossoverOffice' from CodeWeaver to run
    > windoze (NT, I think) applications on a Linux box. It was less

    I'm trying to get my wife used to using OpenOffice. I like it better
    than the MS equivalent and not just because the MS product costs $500
    more. So far she hasn't run into any word docs or xl spreadsheets that
    she can't open and edit. I know that will be a problem if she ever
    does.

    > expensive than VMWare and windoze. Are they programmers trying to
    > write C, or perl, or some besotted version of hypertext? Applications
    > used in that area may function identically, but will look and feel
    > quite different.
    >

    I can't be specific, NDA and all that, but they are trying to develop a
    suite of cross-platform applications using Perl, C/C++ and Java to move
    and map huge amounts of data between different networks and platforms.
    Since most of the existing developers come from windows, the majority
    of the compromises made to make this cross-platform have been on the
    Unix/Linux side.

    > >> Old guy

    > >
    > >We're only as old as our kids tell us we are...

    >
    > Geez, am I in trouble.
    >
    > Old guy


    lol. Nuff said.

    Later.


  10. Re: Weird situation

    Moe Trin wrote:
    > On 14 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    > Obviously, it's going to depend quite a bit on what those users are
    > doing now. Later versions of windoze are adopting the concept of
    > user verses administrator, but from where I stand, I see that most
    > are resisting the idea of running with lesser privilege, apparently
    > because they can't do all the things that they feel the need to do.
    > How realistic this stance may be, I can't say, as I have no one
    > using windoze either at home or work.


    I have seen a lot of enterprise Windows shops and almost all of them
    have a VERY restricted user policy. No casual user has "Administrator"
    (root) privilege. These shops are just a locked down as any Unix shop
    and in some cases more locked down as they also use policies to restrict
    use of applications and ACL (access control lists) to restrict
    privileges (something which Linux has only recently started to support).
    These enterprise shops have a full time staff of IT people that have
    been trained and get good pay. End users do NOT under any circumstance
    get to install anything. It can be pretty draconian but it works just
    like the Sun shops I worked in. If you need it done you have to call the
    IT people who come and do it and leave.

    Most people just don't have the understanding or patience for this at
    home. Windows biggest problem, in my opinion, has been there is no
    equivalent to su or sudo. Windows does have a "Run As" mechanism but it
    is disabled by default and it is just too hard to make work, if fact it
    is just plane broken. Linux distributions like Ubuntu make it pretty
    easy for a person to keep from living as root. The sudo mechanism works
    pretty well, though it is a problem if a person is too uninitiated. It
    is also not a good distribution, in my opinion, for an enterprise shop
    as it is too easy to be root and destroy everything.

    I hope I don't get flamed for this. As I said it is just my opinion and
    I could be wrong.

  11. Re: Weird situation

    "Barton L. Phillips" (06-12-16 06:09:22):

    > I have seen a lot of enterprise Windows shops and almost all of them
    > have a VERY restricted user policy. No casual user has "Administrator"
    > (root) privilege. These shops are just a locked down as any Unix shop
    > and in some cases more locked down as they also use policies to
    > restrict use of applications and ACL (access control lists) to
    > restrict privileges (something which Linux has only recently started
    > to support). These enterprise shops have a full time staff of IT
    > people that have been trained and get good pay. End users do NOT under
    > any circumstance get to install anything. It can be pretty draconian
    > but it works just like the Sun shops I worked in. If you need it done
    > you have to call the IT people who come and do it and leave.
    >
    > Most people just don't have the understanding or patience for this at
    > home. Windows biggest problem, in my opinion, has been there is no
    > equivalent to su or sudo. Windows does have a "Run As" mechanism but
    > it is disabled by default and it is just too hard to make work, if
    > fact it is just plane broken. Linux distributions like Ubuntu make it
    > pretty easy for a person to keep from living as root. The sudo
    > mechanism works pretty well, though it is a problem if a person is too
    > uninitiated. It is also not a good distribution, in my opinion, for an
    > enterprise shop as it is too easy to be root and destroy everything.
    >
    > I hope I don't get flamed for this. As I said it is just my opinion
    > and I could be wrong.


    In some matters, yes. The problem of Windows is, that security means
    restriction. To secure something up, you need to prohibit at least this
    particular thing. For example, in Linux you can do almost anything as a
    normal user, besides changing system-wide things.

    In Windows, such a configuration is not possible. Some people might
    consider this security by obscurity. Like I have to prohibit my
    children from turning on the TV themselves, so I get control over which
    programs they watch.


    Regards,
    E.S.

  12. Re: Weird situation

    Ertugrul Soeylemez wrote:
    > "Barton L. Phillips" (06-12-16 06:09:22):
    >
    >> I have seen a lot of enterprise Windows shops and almost all of them
    >> have a VERY restricted user policy. No casual user has "Administrator"
    >> (root) privilege. These shops are just a locked down as any Unix shop
    >> and in some cases more locked down as they also use policies to
    >> restrict use of applications and ACL (access control lists) to
    >> restrict privileges (something which Linux has only recently started
    >> to support). These enterprise shops have a full time staff of IT
    >> people that have been trained and get good pay. End users do NOT under
    >> any circumstance get to install anything. It can be pretty draconian
    >> but it works just like the Sun shops I worked in. If you need it done
    >> you have to call the IT people who come and do it and leave.
    >>
    >> Most people just don't have the understanding or patience for this at
    >> home. Windows biggest problem, in my opinion, has been there is no
    >> equivalent to su or sudo. Windows does have a "Run As" mechanism but
    >> it is disabled by default and it is just too hard to make work, if
    >> fact it is just plane broken. Linux distributions like Ubuntu make it
    >> pretty easy for a person to keep from living as root. The sudo
    >> mechanism works pretty well, though it is a problem if a person is too
    >> uninitiated. It is also not a good distribution, in my opinion, for an
    >> enterprise shop as it is too easy to be root and destroy everything.
    >>
    >> I hope I don't get flamed for this. As I said it is just my opinion
    >> and I could be wrong.

    >
    > In some matters, yes. The problem of Windows is, that security means
    > restriction. To secure something up, you need to prohibit at least this
    > particular thing. For example, in Linux you can do almost anything as a
    > normal user, besides changing system-wide things.
    >
    > In Windows, such a configuration is not possible. Some people might
    > consider this security by obscurity. Like I have to prohibit my
    > children from turning on the TV themselves, so I get control over which
    > programs they watch.
    >
    >
    > Regards,
    > E.S.

    I certainly agree and don't get me wrong I HATE Windows. As far as I am
    concerned Windows is and has always been broken. Year after year
    Microsoft has added new features but has seldom really fixed any of the
    standing problems.

    Having ranted the above, I have worked in environments where Windows has
    been made to work and is pretty darn secure. This has taken tremendous
    effort from the IT staff and an enlightened management but it was done.
    The poor IT guys had to come in in the middle of the night to do almost
    all upgrades and patches because every machine in the enterprise would
    have to be rebooted many times during the process. However, with
    dedication and a awful lot of very hard work Windows can be made usable
    and basically secure.

    Why anyone would want to go through such pain is hard for me to
    understand, especially now with so many very good and usable
    alternatives. But then again what do I know?

  13. Re: Weird situation

    On 15 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    <1166198111.502553.319600@f1g2000cwa.googlegroups.c om>, Andy C.(never #) wrote:

    >Moe Trin wrote:


    >> (DOS 5 had 68 commands - there are over 1350 in my user path, and over
    >> 1650 as root)


    >Yes, but that means we have more choices. More different ways to
    >accomplish the same thing. Sometimes one way is not "better" than
    >another, it's just different. Maybe windows users think that's wasteful
    >or confusing, but I think you're more likely to be successful at
    >solving a problem if you have more ways available to you to solve that
    >problem.


    What I usually show people is the output of the history command, parsed
    to sort what I've been doing. This tends to show I'm constantly re-using
    70 to 100 commands. I'm sure there are scores (probably hundreds) of
    commands on this system that I've never used. I am a command line
    dinosaur, and tell people to use what-ever works for them. Get the
    results you need - pretty can come later if needed.

    >> You probably won't find *nix applications that look/feel exactly like
    >> their windoze counterparts, but you probably _will_ find ones that are
    >> close.


    >I'm trying to get my wife used to using OpenOffice. I like it better
    >than the MS equivalent and not just because the MS product costs $500
    >more.


    I understand that's why the company where my wife works went to FOSS.
    Even with a site license from microsoft, the costs were outrageous.

    >So far she hasn't run into any word docs or xl spreadsheets that
    >she can't open and edit. I know that will be a problem if she ever
    >does.


    My wife hasn't mentioned the problem either. I know that microsoft
    intentionally makes new "standards" that are incompatible with older
    stuff. Case in point - their MS-CHAP Version 1 authentication protocol
    (documented in RFC2433) is intentionally incompatible with Version 2
    (documented in RFC2759). It backfired on the Internet, as neither
    protocol is used any more (few ISPs even use the original CHAP-MD5
    authentication from RFC1994 - but default to PAP documented in RFC1334
    from 1992). Should someone supply you with a document in a new
    (and incompatible) format, it's usually possible to request that person
    to supply it in an older microsoft format that OO can handle. For web
    sites that demand the latest microsoft whizzy stuff, I simply go
    elsewhere - they obviously don't want my business.

    >I can't be specific, NDA and all that, but they are trying to develop a
    >suite of cross-platform applications using Perl, C/C++ and Java to move
    >and map huge amounts of data between different networks and platforms.


    Ack the NDA - I have the same limitation. C and C++ are obviously
    much more dependent on the O/S, but perl and Java _should_ be free of
    most O/S constraints.

    >Since most of the existing developers come from windows, the majority
    >of the compromises made to make this cross-platform have been on the
    >Unix/Linux side.


    -rw-rw-r-- 1 gferg ldp 642561 Mar 10 2003 Secure-Programs-HOWTO
    -rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO

    If you are in to dead trees, http://www.ora.com and see

    [_] Practical UNIX and Internet Security, Third Edition Feb 2003 $54.95
    Read it on online with Safari View a sample

    Yellow binding, front cover is an olde fashioned floor safe. 984 pages.
    There is also

    [_] Secure Coding: Principles and Practices Jun 2003 $29.95 Read it on
    online with Safari View a sample
    [_] Secure Programming Cookbook for C and C++ Jul 2003 $49.95 Read it
    on online with Safari View a sample Download examples

    Old guy

  14. Re: Weird situation

    On Sat, 16 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Barton L. Phillips wrote:

    >I have seen a lot of enterprise Windows shops and almost all of them
    >have a VERY restricted user policy. No casual user has "Administrator"
    >(root) privilege. These shops are just a locked down as any Unix shop
    >and in some cases more locked down as they also use policies to restrict
    >use of applications and ACL (access control lists) to restrict
    >privileges


    Novell Netware had an excellent access control system in the 1990s.

    >These enterprise shops have a full time staff of IT people that have
    >been trained and get good pay. End users do NOT under any circumstance
    >get to install anything. It can be pretty draconian but it works just
    >like the Sun shops I worked in.


    Agreed. Compare the knowledge that was needed to get a Novell CNE (or
    for that matter, the plain old CNA) verses the various microsoft
    certifications.

    >Most people just don't have the understanding or patience for this at
    >home.


    Bingo. And this carries over into smaller businesses that don't feel
    they have the needs to justify the well trained and expensive staff.
    In the early 1980s, computers were extremely expensive (my first IBM
    PC-XT priced out at over US$4000, and the PC-AT was nearly US$6000).
    This was not a home system. Then came the clones, and by 1995 it seemed
    that everyone had a computer at home. Now, I'm sure this is the case.
    This means that everyone is "familiar" with the PC, and invariably
    assumes that what works at home is just peachy at work. It is _so_
    much fun to bang on a neighbor's cage (he admins windoze in an
    insurance agency with about 150 users) and hear him foaming about the
    latest helpful hint he received from the president (whose 12 year old
    son is an expert obviously).

    >Windows biggest problem, in my opinion, has been there is no equivalent
    >to su or sudo. Windows does have a "Run As" mechanism but it is disabled
    >by default and it is just too hard to make work, if fact it is just plane
    >broken.


    Some of this is "the target audience". Windoze wants to be the very
    easy system to use - so easy that _everyone_ uses it at home. The problem
    with this is that they are stuck in the single user mind set from MS-DOS.

    >Linux distributions like Ubuntu make it pretty easy for a person to
    >keep from living as root. The sudo mechanism works pretty well, though
    >it is a problem if a person is too uninitiated. It is also not a good
    >distribution, in my opinion, for an enterprise shop as it is too easy to
    >be root and destroy everything.


    The "popular" distributions do have this advantage. The risk of destroying
    everything can be properly configuring 'sudo' and restricting the use of
    'su' to those with the extra skills needed. On the other paw, these same
    distributions depend on "helper" programs, often GUI, to handle the
    complicated stuff. The problem is that the helper programs are hiding
    what they are doing, and when the helper becomes broken on otherwise
    unavailable, the under-trained administrator is screwed. How many (for
    example) are even aware of the difference between 'su' and 'su -' (or
    'su -l'), and where this may be the only quick way to salvage some
    screwup involving root's environment?

    >I hope I don't get flamed for this. As I said it is just my opinion and
    >I could be wrong.


    I'm certainly not going to disagree with you.

    Old guy

  15. Re: Weird situation

    On Sat, 16 Dec 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Barton L. Phillips wrote:

    >I certainly agree and don't get me wrong I HATE Windows. As far as I am
    >concerned Windows is and has always been broken. Year after year
    >Microsoft has added new features but has seldom really fixed any of the
    >standing problems.


    Well, they have. It's just that often when they do so, they add in new
    and different bugs. There are thousands of jokes about this problem.

    >Having ranted the above, I have worked in environments where Windows has
    >been made to work and is pretty darn secure. This has taken tremendous
    >effort from the IT staff and an enlightened management but it was done.


    Agreed

    >The poor IT guys had to come in in the middle of the night to do almost
    >all upgrades and patches because every machine in the enterprise would
    >have to be rebooted many times during the process.


    And more thousands of jokes about this one.

    >However, with dedication and a awful lot of very hard work Windows can
    >be made usable and basically secure.
    >
    >Why anyone would want to go through such pain is hard for me to
    >understand, especially now with so many very good and usable
    >alternatives.


    One argument that has been used fairly often _against_ FOSS is the
    pointy-haired-boss asking that in case something goes wrong, who can they
    sue? Putting that paragraph of the microsoft EULA on a viewgraph, and
    underlining the "we're not responsible" statement is useless, because the
    boss can't read anyway.

    Old guy

  16. Re: Weird situation

    "Barton L. Phillips" (06-12-16 18:49:21):

    > I certainly agree and don't get me wrong I HATE Windows. As far as I
    > am concerned Windows is and has always been broken. Year after year
    > Microsoft has added new features but has seldom really fixed any of
    > the standing problems.


    Because they can't. The whole concept of Windows is broken. And when
    it's already broken in theory, it can't be alright in practise. After
    so many years, Windows is still a single-user system.


    > Having ranted the above, I have worked in environments where Windows
    > has been made to work and is pretty darn secure. This has taken
    > tremendous effort from the IT staff and an enlightened management but
    > it was done. The poor IT guys had to come in in the middle of the
    > night to do almost all upgrades and patches because every machine in
    > the enterprise would have to be rebooted many times during the
    > process. However, with dedication and a awful lot of very hard work
    > Windows can be made usable and basically secure.


    True. It's not necessarily insecure. But as said, securing it up means
    hard work and a whole lot of restrictions for the users.


    > Why anyone would want to go through such pain is hard for me to
    > understand, especially now with so many very good and usable
    > alternatives. But then again what do I know?


    Moe Trin is completely right. Because the boss wants it that way. He
    deals with money and business contacts. He doesn't have any clue about
    security. In fact, he doesn't even understand, why security is most
    important in an enterprise.


    Regards,
    E.S.

  17. Re: Weird situation


    s. keeling wrote:
    > Matt Hayden :
    > > Matt Hayden wrote:
    > >
    > > > Yeah, if I'm not mistaken it's a security hole. Especially if . is in
    > > > /etc/profile or in something root might run (accidentally or not).

    > >
    > > Oops. What I meant was: if /etc/profile has a line setting . into PATH,
    > > like PATH=$PATH:/usr/local/bin:.
    > > not literally if /etc/profile has any line with .

    >
    > Don't use the system supplied PATH.
    >
    > echo $PATH
    >
    > Now edit to your tastes and don't use theirs. That means, no
    > "PATH=$PATH..." stuff.
    >
    > btw, . is only a security problem if the . is at the beginning of
    > the PATH, or it's an abysmally insecure system (crackers dropping
    > binaries into user's directories). However, the fewer stupid things
    > done on the box, the better, I agree.
    >
    >
    > --
    > Any technology distinguishable from magic is insufficiently advanced.
    > (*) http://www.spots.ab.ca/~keeling Linux Counter #80292
    > - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
    > Spammers! http://www.spots.ab.ca/~keeling/emails.html



+ Reply to Thread