The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #330 [more on security] (1 message, 592 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/330.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Gene Spafford <spaf>
To: phage
Date: Mon 22:53:09 05/12/1988 EST
Subject: more on security
References: [Thread Prev: 329] [Thread Next: 336] [Message Prev: 333] [Message Next: 334]

Let me add something to that list I posted -- I'm not advocating
that source be kept from all users.  I'm advocating that source
be kept from users by default.  If users at your site have a
reason to access the source, even if for as indefinite reason
as "you want them to learn about the system," then add them to
the group id that can browse through the source.

Making things wide open by default is not the way to have better
security.  It may not be philsophically aligned with the way you
want to run a system, but you have to make tradeoffs when
trying to improve security.  If you decide not to restrict
access, so be it.  However, it can give clues to users just
looking around for weaknesses ("Hmmm, which utilities use 'gets'
or 'system'?")

--spaf

END OF DOCUMENT