Session recording
Kenny Lussier
klussier at gmail.com
Wed Apr 2 13:38:03 EDT 2008
On Wed, Apr 2, 2008 at 10:15 AM, Paul Lussier <p.lussier at comcast.net> wrote:
> "Kenny Lussier" <klussier at gmail.com> writes:
>
>
> > The point isn't to limit what they can do on the system (that is a
> > completely different issue). The problem is to account for what they
> > do, and to go to the logs and say that User X issued command Y at n
> > time. The truth is, we don't care what shell they do it in. The
> > decision to limit people to a single shell was a development decision,
> > not a security decision.
>
> Right, but you've ultimately gone to that end where you have, in fact,
> limited people to a single shell. And, if that's the case, why not
> also go further and restrict them to not being able to edit the shell
> config files. It's still a 'developmental' decision in how you carry
> out your security policy.
>
> If you, for "developmental" reasons, have limited them to a single
> shell, and, your policy calls for controlling the PS* prompts and
> other environmental variables in order to carry out that policy, it's
> a simple (if not required) extension to restrict them from altering
> those environmental conditions (upto and including global warming ;)
>
> If you don't, and they do, how can you prove they did when they say
> they didn't? After all they were able to when you allowed them the
> possibility without restricting them in the first place!
>
> Got it?
Compared to the specs that I'm currently reading, that made perfect
sense!! :-) I believe that the "developmental reason" for limiting
people to one shell was that the people that developed the apps that
run on these systems didn't want to deal with people writing scripts
in other shells. I admit that I am not entirely sure, as I am still
getting to know the environment. However, I agree that controlling as
much of the environment as possible is the road to go down. We are
even looking at writing our own CLI for these systems in order to
granularly control everything.
C-Ya,
Kenny
More information about the gnhlug-discuss
mailing list