Limited Function Rarely Is
Limited Function Rarely Is
Copyright(c) Management Analytics, 1995 - All Rights Reserved
Copyright(c), 1990, 1995 Dr. Frederick B. Cohen - All Rights Reserved
Problem:
Many products are designed to provide nominal protection if
their function is limited. They limit their function by providing a
command interpreter or other mechanism that is supposed to prevent the
user from bypassing controls, but in many cases, this can be bypassed
by a clever enough user. For example, many such system are invoked by
Sh or Csh, and can be ``core dumped'' by typing an appropriate
keyboard combination. Once halted, they may revert to the command
interpreter, leaving the user logged into a privileged Uid. It is
usually a mistake to believe vendor claims about protection matters,
since most vendors are not knowledgeable enough to provide sound
protection.
Prevention:
The first step towards a solution to this problem is using a
limited function program in place of Sh at login. This is done by
modifying the `etcpasswd' file to run the limited function program
instead of Sh or Csh.
Detection:
Sometimes testing reveals these flaws, but there is no
reasonable amount of testing that can assure proper operation. In other
words, by experimenting we can prove programs wrong but not right.
Cure:
There is rarely a cure for vendor supplied software, but it is
a good idea to use vendor protection only as an augmentation of system
protection mechanisms instead of trusting it implicitly.