Limited Function Rarely Is

Limited Function Rarely Is

Copyright(c) Management Analytics, 1995 - All Rights Reserved

Copyright(c), 1990, 1995 Dr. Frederick B. Cohen - All Rights Reserved

Problem:

Many products are designed to provide nominal protection if their function is limited. They limit their function by providing a command interpreter or other mechanism that is supposed to prevent the user from bypassing controls, but in many cases, this can be bypassed by a clever enough user. For example, many such system are invoked by Sh or Csh, and can be ``core dumped'' by typing an appropriate keyboard combination. Once halted, they may revert to the command interpreter, leaving the user logged into a privileged Uid. It is usually a mistake to believe vendor claims about protection matters, since most vendors are not knowledgeable enough to provide sound protection.

Prevention:

The first step towards a solution to this problem is using a limited function program in place of Sh at login. This is done by modifying the `etcpasswd' file to run the limited function program instead of Sh or Csh.

Detection:

Sometimes testing reveals these flaws, but there is no reasonable amount of testing that can assure proper operation. In other words, by experimenting we can prove programs wrong but not right.

Cure:

There is rarely a cure for vendor supplied software, but it is a good idea to use vendor protection only as an augmentation of system protection mechanisms instead of trusting it implicitly.