{"id":11571,"date":"2018-02-23T04:30:08","date_gmt":"2018-02-23T12:30:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/23\/news-5342\/"},"modified":"2018-02-23T04:30:08","modified_gmt":"2018-02-23T12:30:08","slug":"news-5342","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/02\/23\/news-5342\/","title":{"rendered":"Clever, redefined"},"content":{"rendered":"

Credit to Author: Sharky| Date: Fri, 23 Feb 2018 03:00:00 -0800<\/strong><\/p>\n

It’s the 1990s, and this pilot fish is hired at a big international company to maintain a group of Linux servers — and they definitely need help.<\/p>\n

“My initial survey of the systems uncovered some serious security problems,” says fish. “Everything had been set up and users added with no regard to security.<\/p>\n

“As a temporary holding action, I set all the users’ login shells to a custom restricted shell that allowed each user access to only the directories and commands necessary for their work while I analyzed all the systems, planned a decent security configuration for each, got approvals, did testing and, finally, implemented the new security.”<\/p>\n

The users hate the restricted shell almost as much as fish hates handling all the problems the users are having — and some users complain on a daily basis.<\/p>\n

But some do more than that. Fish discovers one clever user has come up with what he thinks is a cool hack to bypass the restricted shell. The hack: From inside the restricted command-line shell, the user runs the command to launch the standard command-line shell.<\/p>\n

And he thinks it works — though actually the command is automatically redirected and all the user gets is the restricted shell again.<\/p>\n

Meanwhile, fish works furiously to get the new security in place. And as soon as every Linux system is properly secured, he resets all the users’ configurations back to a normal command shell.<\/p>\n

“A little while later, in checking how the users were doing, I discovered that the clever user was still running a command to escape from what he thought was still a restricted shell,” fish says. “He was issuing the specific command that invoked the restricted shell. So while everyone else was running a normal shell, this clever user was still restricted.<\/p>\n

“I didn’t tell him.”<\/p>\n

Tell Sharky<\/strong> your true tale of IT life at sharky@computerworld.com<\/a>. You’ll score a sharp Shark shirt if I use it. Comment on today’s tale at Sharky’s Google+ community<\/strong><\/a>, and read thousands of great old tales in the Sharkives<\/strong><\/a>.<\/i><\/p>\n

Get Sharky’s outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter<\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Sharky| Date: Fri, 23 Feb 2018 03:00:00 -0800<\/strong><\/p>\n

\n
\n

It’s the 1990s, and this pilot fish is hired at a big international company to maintain a group of Linux servers — and they definitely need help.<\/p>\n

“My initial survey of the systems uncovered some serious security problems,” says fish. “Everything had been set up and users added with no regard to security.<\/p>\n

“As a temporary holding action, I set all the users’ login shells to a custom restricted shell that allowed each user access to only the directories and commands necessary for their work while I analyzed all the systems, planned a decent security configuration for each, got approvals, did testing and, finally, implemented the new security.”<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714],"class_list":["post-11571","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11571"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11571\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}