[Dshield] Flavors of Linux

Eric Peters epeters at pcthome.com
Tue Oct 5 16:03:57 GMT 2004


Let me start off by saying I have to agree with Stephane 100%.

It is very easy to turn the administrator account's permissions under 
"windows" into an account with guest permissions, thus  enabling  NTFS 
permissions useless. Unlike *nix it takes a bit to enable the root 
account useless especial a hardened installation, I gave away free shell 
accounts to anybody (Long Ago and Not any longer) with a hardened 
installation of Slack. I had people 24x7 try to crack the box and 128 
days uptime later no one was able to crack it. Try doing that on a 
Microsoft OS ;) give complete strangers terminal services to that box 
and see how long it would last.

 An OS with applications such as Browser, File Manager, E-mail (IE, 
Explorer, Outlook Express to name a few) so tied into the kernel or the 
core of OS makes completely securing that box impossible in a multi user 
environment, again rendering permissions of a file system useless. 
Remember *nix was made with the exact purpose for groups of people to 
work on the same server with security in mind, windows was not! 
Microsoft is trying to do this now, and I can't see MS releasing a 
somewhat secure OS, unless they start from scratch and rewrite the 
entire OS from the ground up keeping a multi user secure environment in 
mind and keeping applications out of the core of the OS.

Just my 2 cents

Cheers,

Eric




stephane nasdrovisky wrote:

> John B. Holmblad wrote:
>
>> I think it is fair to say that  NTFS filre permissions are more fine 
>> grained than those of Unix, but, unfortunately, their resulting 
>> complexity makes them more of a challenge to manage properly.
>
>
> What about file acl in the unix world ? File permissions are not 
> limited to the 3 rwx and setuid/setgid/don't remember the others 
> permissions anymore. i.e.: http://www.computerhope.com/unix/usetfacl.htm
> The major difference between windows and unix, in my opinion, is that 
> there are no super user under windows: everything is permission based, 
> if you want a root-like account, you have to include it in admin 
> groups or give it allow everything permissions.
> The latest permissions related paradigm in the unix world is 'role 
> based access control': http://csrc.nist.gov/rbac/
>
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS 
> Institute.
> To learn more about current SANS training, see http://www.sans.org .
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list