Removing chmod world write support and sftp
We have several production web servers and I am trying to figure out a way to removing world write support from chmod. I have already written a wrapper for the chmod command, but it does not seem to work within sftp; has anyone encountered anything that could help in implementing this, or have any suggestions. -- Thx Joshua Gimer
Re: Removing chmod world write support and sftp
On 4/11/07, Joshua Gimer [EMAIL PROTECTED] wrote: We have several production web servers and I am trying to figure out a way to removing world write support from chmod. I have already written a wrapper for the chmod command, but it does not seem to work within sftp; has anyone encountered anything that could help in implementing this, or have any suggestions You mean, make it so that chmod o+w doesn't work? Intuition from hanging around misc@ long enough tells me that there is a good reason to keep this support, and that you're trying to solve the wrong problem. But if you really want this you should edit chmod's source code directly; it's simpler, and any wrapper would have to have access to the original, and any user would have to have access to the wrapper, and so because of the way unix permissions work any user would still have access to chmod (I think, right?); you're not really planning on security by obscurity are you? -Nick
Re: Removing chmod world write support and sftp
On 4/11/07, Joshua Gimer [EMAIL PROTECTED] wrote: On 4/11/07, Nick ! [EMAIL PROTECTED] wrote: you're not really planning on security by obscurity are you? The wrapper will work because the users that are doing this are doing it out of ignorance and not with malicious intentions. This is a dangerous assumption. If the only thing that can be done is to change the sftp code, Not the sftp code, the chmod code. It should be a one or two line change. -Nick
Re: Removing chmod world write support and sftp
On 4/11/07, Nick ! [EMAIL PROTECTED] wrote: you're not really planning on security by obscurity are you? The wrapper will work because the users that are doing this are doing it out of ignorance and not with malicious intentions. If the only thing that can be done is to change the sftp code, then I think that I will just write a script that will go through and remove o+w from directories every hour or so. There are going to only be about 50 users accessing this system and I do not think that putting forth the effort is worth it, especially when I still have 11 other systems to setup and configure by May 13th. :) -- Thx Joshua Gimer
Re: Removing chmod world write support and sftp
On 11 Apr 2007 at 16:33, Joshua Gimer wrote: On 4/11/07, Nick ! [EMAIL PROTECTED] wrote: you're not really planning on security by obscurity are you? The wrapper will work because the users that are doing this are doing it out of ignorance and not with malicious intentions. If the only thing that can be done is to change the sftp code, then I think that I will just write a script that will go through and remove o+w from directories every hour or so. There are going to only be about 50 users accessing You'll be amazed how much warez and porn can get uploaded in less than an hour ... this system and I do not think that putting forth the effort is worth it, especially when I still have 11 other systems to setup and configure by May 13th. :) -- Thx Joshua Gimer - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
