> This can be an effective strategy, but the way you describe it is > actually a little more complex than it needs to be. You do not > actually need to have a trusted group; you only need an untrusted > group. The key here is the often overlooked fact that groups can be > used to TAKE AWAY privileges as easily as they can be used to grant > access. This is because of the way Unix permissions work.
The reason people usually ignore this fact is in general, who cares. If you remove my permissions to a file I just upload my own file and use it instead. Sure, you can turn off my rcp, ftp, & scp, but then I can probably still just email myself the file. Sure you can turn off email attachments. There are other ways. You'd have to restrict me to my home directory *and* make it read-only for this to work. You'd also have to lock me out of /tmp, /var/tmp, ... There's no rule that states I have to run *your* copy except in the case of seteuid programs (which is, btw another way I get around denied groups). I don't even need your system libraries- I can compile with static before I send it up. Trusted groups are a good thing. Denied groups just make me a bit more creative, probably increasing my skill set along the way so that I become harder to notice. Jeff
