Clever, redefined

Credit to Author: Sharky| Date: Fri, 23 Feb 2018 03:00:00 -0800

It’s the 1990s, and this pilot fish is hired at a big international company to maintain a group of Linux servers — and they definitely need help.

“My initial survey of the systems uncovered some serious security problems,” says fish. “Everything had been set up and users added with no regard to security.

“As a temporary holding action, I set all the users’ login shells to a custom restricted shell that allowed each user access to only the directories and commands necessary for their work while I analyzed all the systems, planned a decent security configuration for each, got approvals, did testing and, finally, implemented the new security.”

The users hate the restricted shell almost as much as fish hates handling all the problems the users are having — and some users complain on a daily basis.

But some do more than that. Fish discovers one clever user has come up with what he thinks is a cool hack to bypass the restricted shell. The hack: From inside the restricted command-line shell, the user runs the command to launch the standard command-line shell.

And he thinks it works — though actually the command is automatically redirected and all the user gets is the restricted shell again.

Meanwhile, fish works furiously to get the new security in place. And as soon as every Linux system is properly secured, he resets all the users’ configurations back to a normal command shell.

“A little while later, in checking how the users were doing, I discovered that the clever user was still running a command to escape from what he thought was still a restricted shell,” fish says. “He was issuing the specific command that invoked the restricted shell. So while everyone else was running a normal shell, this clever user was still restricted.

“I didn’t tell him.”

Tell Sharky your true tale of IT life at sharky@computerworld.com. You’ll score a sharp Shark shirt if I use it. Comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

Get Sharky’s outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss