Xref: utzoo alt.bbs:2912 alt.security:1524 comp.unix.sysv386:322
Path: utzoo!utgpu!cs.utexas.edu!hellgate.utah.edu!cs.utah.edu!zeleznik
From: zeleznik@cs.utah.edu (Mike Zeleznik)
Newsgroups: alt.bbs,alt.security,comp.unix.sysv386
Subject: Re: Protecting against downloads
Message-ID: <1990Sep13.094137.18065@hellgate.utah.edu>
Date: 13 Sep 90 15:41:37 GMT
References: <22@tdw205.ed.ray.com> <iPZeP1w163w@halcyon.wa.com> <epeterso.653228040@houligan>
Organization: University of Utah CS Dept
Lines: 27

In article <epeterso.653228040@houligan> epeterson@encore.com writes:
>ralphs@halcyon.wa.com (Ralph Sims) writes:
>| heiser@sud509.ed.ray.com (Bill Heiser - Unix Sys Admin) writes:
>| > A *ix sysop I communite with recently told me that he'd caught one of
>| > his "shell-access" users downloading *ix binaries.
>| 
> [ lots deleted ...]
>
>What you might do is write a shell script (or hack the xmodem, kermit,
>or sz code) to check the user and group ID for each file that is being
>attempted to be transferred.  If the UID and GID are "root" or "sys"
>or "bin" or some other system ID, then deny access to the file.
>Otherwise, let it go through as normal.

Can't this be circumvented by the user first copying the files to their own
directory, making them owned by the user.  Now they are valid for export.  

And if you try and change all the possible ways to copy a file, such that
the above checks are made, the user can still load their own copy program
to do it for them, since it doesn't have to run in any priv mode.

Mike

  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  zeleznik@cs.utah.edu          Salt Lake City, UT  84112
                                (801) 581-5617