On Thu, Mar 7, 2013 at 12:49 AM, Jeremy Laidman <jlaidman at rebel-it.com.au> wrote:
On 2 March 2013 06:44, Larry Barber <lebarber at gmail.com> wrote:
It could allow bogus reports to be sent to the Xymon server, maybe hiding something malicious.
I can do that using telnet, or in the absence of telnet, I can use bash. The binaries make it slightly more convenient, that's all.
Also, a lot of security scans will pick up on things that are world executable and not in one of the standard directories (like /usr/bin, /bin, etc.).
Really! Why? I've never seen this, except when the script is also world-writeable. What security scanner(s) are you referring to?
Lots of users write their own scripts and keep them in their home directories. Sysadmins write scripts like this all the time. I'm not sure this is a useful security stance.
J
it's a common notion, although I don't think it really helps in true security very often. I've usually seen it in places where a draconian security policy is compiled by people who don't really understand what they're doing from a wide range of internet sources that are then too widely applied. e.g. one place I worked for established a security policy that insisted that root's home dir be mode 700, owned by root. which is a pretty decent suggestion for linux machines where root's home is (typically) /root. on a solaris machine where root's home dir is typically (or at least was then) /, it'll render a machine unusable. but since it'd been found at what some security auditor considered to be a reputable site and s/he didn't understand the underlying reasoning, it became the standard policy to be applied across all OSes and all machines (and yes if you added the extra clause that root's home dir can not be /, it goes back to possibly a reasonable security policy).
you can also argue that it's part of a 'least possible permissions' sort of thing where only the users/groups that _Need_ to run the programs/scripts have perms to do it, reducing the potential exposure if a security flaw is uncovered at some point in the future.
-- Even the Magic 8 ball has an opinion on email clients: Outlook not so good.