Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!vtserf!marchany From: marchany@vtserf.cc.vt.edu (Randy Marchany) Newsgroups: comp.admin.policy Subject: Re: running COPS without asking (was: SUSPEND SYSOPS, NOT STUDENTS) Message-ID: <1958@vtserf.cc.vt.edu> Date: 25 Jun 91 04:20:17 GMT References: Organization: Virginia Tech, Blacksburg, VA Lines: 44 In article jbw@maverick.uswest.com (Joe Wells) writes: > Any useful security effort requires the cooperation and tolerance of the > administrator (or his boss...or her boss...or SOMEBODY in the chain). And > my comments were intended to encourage that cooperation where it can reasonably > be achieved. If the cooperation of administration cannot be achieved then > ANY ideas are useless. > >No, actually, the people responsible for the non-cooperation (ie. the >system administrators) should be disciplined. After all, they are being >payed to do their job. > So the only really rational choices are: > 2. Get permission to poke at security. Go through as many levels > as necessary to do so. >The user already had permission (as all users on this system do by >default) to access publically accessible directories and files. > 3. Poke at security and accept the consequences if caught. >Hmm, accept the consequences of doing something he has already been >granted permission to do, sounds funny. Having not paid a lot of attention to this particular discussion, I was just wondering what the WRITTEN policy at this site looks like. Does this site have a written policy at all? If not, then it seems the "administration" is leaving itself open to subjective interpretations of what is considered "acceptable/ethical behaviour". If there is a STATED policy on what is considered "proper" access of files, users running their own "security checks", etc. and if the user has followed those guidelines, then I can see Mr.Wells' point. If the STATED policy forbids such actions, then there is no discussion as to who is wrong in this case. If there is NO written policy, then there should be in order to avoid the particular dilemma described here. Again, get a policy WRITTEN down, get the users to affirm that they agree to abide by the policy and that's it. A simple section stating something like: Users are not allowed to perform "security checks" of their own without notifying a system administrator PRIOR to the action. Files that have world-read access granted can be read by any legitimate user of the system. in the overall policy statement would prevent the kind of name calling that is destructive to a workable computing environment. -Randy Marchany Va Tech Computing Center Internet: marchany@vtserf.cc.vt.edu