Protecting against downloads

John G. DeArmond jgd at rsiatl.UUCP
Thu Sep 13 14:10:05 AEST 1990 

heiser at sud509.ed.ray.com (Bill Heiser - Unix Sys Admin) writes:


>A *ix sysop I communite with recently told me that he'd caught one of
>his "shell-access" users downloading *ix binaries.  

>As far as I can see, we either have to trust the users that we give     
                                ^^^^^^^^^^^^^^^ 
>shell access to, or make kermit/sz, etc unavailable to them.   


The answer is in your post.  We have none of that problem here. 
Of  course, we choose our users fairly carefully and have in
place a first-offense-termination rule.   Even if you you
removed all file transfer programs and the development tools,
it would only take an experienced Unix programmer a little while
to hack together an elementary transfer program using awk, sed,
ed or any of a number of other tools.  Technology will never
solve problems of inferior ethics. 

A method of self-policing in regards to the quality of articles 
posted from this site might work for you.  We have a pretty liberal
posting policy and rely primarily on peer pressure for quality
control.  One mechanism is that we have a local newsgroup, rsi.postings,
that receives a copy of all locally posted articles.  The knowledge
that everybody on the system sees all posts regardless of the original
newsgroup is sufficient peer pressure that we've never had a problem.

You could probably do something similiar by hacking the source to sz
and kermit to post the name of the user and the name of the file transfered
to a local newsgroup. 

One other thing we have is a custom-written getty that logs all keystrokes
received during the login process to an external device via a physically
one-way path.  This is designed to alert us to users who would play around
with password guessing and/or crackers who try the system.  We make the
existence of this system very public which serves as a deterrent.

I firmly believe that if one removes the barriers to a system that represent
challenges, the incentive to misbehave is removed for most people.  And you
simply eliminate the small subset that do misbehave.

If you really wanted to try a technology solution, one would be to
carefully restrict the permissions on binaries to execute-only.
I say "carefully" because you may break a number of scripts that
rely on being able to test the readability of files to verify
their existence.

John

-- 
John De Armond, WD4OQC  | We can no more blame our loss of freedom on congress
Radiation Systems, Inc. | than we can prostitution on pimps.  Both simply
Atlanta, Ga             | provide broker services for their customers.
{emory,uunet}!rsiatl!jgd|  - Dr. W Williams |                **I am the NRA**

More information about the Comp.unix.sysv386 mailing list