Xref: utzoo alt.security:1525 alt.bbs:2913 comp.unix.sysv386:324 Path: utzoo!utgpu!cs.utexas.edu!uunet!naitc!karl From: karl@naitc.uucp (Karl Denninger) Newsgroups: alt.security,alt.bbs,comp.unix.sysv386 Subject: Re: Protecting against downloads Summary: Make your executables execute-only; remove read access to them Message-ID: <1990Sep13.154822.17902@naitc.uucp> Date: 13 Sep 90 15:48:22 GMT References: <22@tdw205.ed.ray.com> Reply-To: karl@naitc.naitc.com (Karl Denninger) Organization: A.C. Nielsen Bannockburn, IL Lines: 40 In article <22@tdw205.ed.ray.com> heiser@sud509.ed.ray.com (Bill Heiser - Unix Sys Admin) writes: > >A *ix sysop I communite with recently told me that he'd caught one of >his "shell-access" users downloading *ix binaries. Since I'm getting >ready to set up my system for public access, this concerns me. How >do you all who run public-access systems protect yourselves against this >kind of thing? If it went on for long enough, the person could get >himself an entire OS for free!! > >As far as I can see, we either have to trust the users that we give >shell access to, or make kermit/sz, etc unavailable to them. I guess >we could just make downloads only available thru the "bbs", rather than >from the shell ... > >Anyone else have any ideas on this? How do you all deal with this? Easy. Remove read access for everyone other than root on all the system executables and files. Now you can't download the files, since you can't open them for read access. MOST systems ship with the entire contents of /bin, /usr/bin, and even /etc readable by world! This, needless to say, is complete garbage; there's no reason in the world why someone has to have read access to /bin/cc! I would consider that any manufacturer who does this is at least guilty of contributory negligence if their software gets stolen. And the list that I know of includes Microport, AT&T, ISC, SCO, and others. Yep, all the '386 Unix people. Now, if you are so inclined and decide to, you can actually remove read access on all these files. Or you can just let them have 'at it, figuring that the manufacturer wanted them world-readable, since he/she left them that way. -- Karl Denninger AC Nielsen kdenning@ksun.naitc.com (708) 317-3285 Disclaimer: Contents represent opinions of the author; I do not speak for AC Nielsen on Usenet.