| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <788156205.20070309195545@SECURITY.NNOV.RU> Date: Fri, 9 Mar 2007 19:55:45 +0300 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: "Roger A. Grimes" <roger@...neretcs.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft Windows Vista/2003/XP/2000 file management security issues Dear Roger A. Grimes, --Friday, March 9, 2007, 6:49:13 PM, you wrote to 3APA3A@...URITY.NNOV.RU: RAG> For one, I've been a sys admin for 20 years and NEVER created a RAG> private folder under a public folder. Nice. What about creating "Sales Reports" folder only head of Sales department has access inside "Sales" folder? RAG> I mean let's debate why users get Full Control to their own RAG> folders in the first place. That's a common scenario (it's on RAG> nearly every network) and its almost always too many permissions. RAG> Do I want my regular end-users changing their folder's security RAG> permissions? No. Should any regular end-user have Full Control to RAG> any share? No, for the same reason. These are valid, common, RAG> security points that really do beg further discussion. There is no actual difference between "Change" and "Full Control" permissions for NTFS. "Change" give you ability to delete and create objects. An ability to delete some object and create it again give you a way to become object owner, like if you have "Take ownership" individual permission. As an owner you always have implicit "Change permissions" individual permission. So, you have your "Full control" without having it. There is simply nothing more to debate here. Ownership problem was debated for ages. RAG> You're just making up crap up that isn't overly realistic in RAG> the world, then going further to assume that a bonehead RAG> administrator compounds the problem by making further insecure RAG> decisions. RAG> You are essentially say, "If you misconfigure your system and RAG> make further insecure choices, someone can hack you." Duh. Who can tell me, creating "Sales reports" inside "Sales" is insecure choice? RAG> There's a reason why your "announcements" aren't making the news RAG> media...because it isn't news. If I want to "make news media", I write article on Russian cyberterrorism and it's connection with Ukraine, Germany and US. Not an article on enterprise file management best security practices. RAG> With that said, you have something valid to say, but so far RAG> it just isn't a "security vulnerability" that people need to be RAG> aware of. Roger, please read "Intro" section, it's rather small. RAG> You're a smart person, concentrate on issues that will really RAG> give us bang for the buck discussions and issues. Are not we discussing? RAG> Roger RAG> ***************************************************************** RAG> *Roger A. Grimes, InfoWorld, Security Columnist RAG> *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... RAG> *email: roger_grimes@...oworld.com or roger@...neretcs.com RAG> *Author of Professional Windows Desktop and Server Hardening (Wrox) RAG> *http://www.amazon.com/gp/product/0764599909 RAG> ***************************************************************** -- ~/ZARAZA http://securityvulns.com/ Да, ему чертовски повезло. Эх и паршиво б ему пришлось если бы он выжил! (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists