It's the 1990s, and this pilot fish is hired at a big international company to maintain a group of Linux servers -- and they definitely need help."My initial survey of the systems uncovered some serious security problems," says fish. "Everything had been set up and users added with no regard to security."As a temporary holding action, I set all the users' login shells to a custom restricted shell that allowed each user access to only the directories and commands necessary for their work while I analyzed all the systems, planned a decent security configuration for each, got approvals, did testing and, finally, implemented the new security."The users hate the restricted shell almost as much as fish hates handling all the problems the users are having -- and some users complain on a daily basis. But some do more than that. Fish discovers one clever user has come up with what he thinks is a cool hack to bypass the restricted shell. The hack: From inside the restricted command-line shell, the user runs the command to launch the standard command-line shell.And he thinks it works -- though actually the command is automatically redirected and all the user gets is the restricted shell again.Meanwhile, fish works furiously to get the new security in place. And as soon as every Linux system is properly secured, he resets all the users' configurations back to a normal command shell."A little while later, in checking how the users were doing, I discovered that the clever user was still running a command to escape from what he thought was still a restricted shell," fish says. "He was issuing the specific command that invoked the restricted shell. So while everyone else was running a normal shell, this clever user was still restricted. "I didn't tell him."Tell Sharky your true tale of IT life at Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!. You'll score a sharp Shark shirt if I use it. Comment on today's tale at Sharky's Google+ community, and read thousands of great old tales in the Sharkives.Get Sharky's outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.
Wir nutzen Cookies auf unserer Website. Einige von ihnen sind essenziell für den Betrieb der Seite, während andere uns helfen, diese Website und die Nutzererfahrung zu verbessern (Tracking Cookies). Sie können selbst entscheiden, ob Sie die Cookies zulassen möchten. Bitte beachten Sie, dass bei einer Ablehnung womöglich nicht mehr alle Funktionalitäten der Seite zur Verfügung stehen.
It's the 1990s, and this pilot fish is hired at a big international company to maintain a group of Linux servers -- and they definitely need help."My initial survey of the systems uncovered some serious security problems," says fish. "Everything had been set up and users added with no regard to security."As a temporary holding action, I set all the users' login shells to a custom restricted shell that allowed each user access to only the directories and commands necessary for their work while I analyzed all the systems, planned a decent security configuration for each, got approvals, did testing and, finally, implemented the new security."The users hate the restricted shell almost as much as fish hates handling all the problems the users are having -- and some users complain on a daily basis. But some do more than that. Fish discovers one clever user has come up with what he thinks is a cool hack to bypass the restricted shell. The hack: From inside the restricted command-line shell, the user runs the command to launch the standard command-line shell.And he thinks it works -- though actually the command is automatically redirected and all the user gets is the restricted shell again.Meanwhile, fish works furiously to get the new security in place. And as soon as every Linux system is properly secured, he resets all the users' configurations back to a normal command shell."A little while later, in checking how the users were doing, I discovered that the clever user was still running a command to escape from what he thought was still a restricted shell," fish says. "He was issuing the specific command that invoked the restricted shell. So while everyone else was running a normal shell, this clever user was still restricted. "I didn't tell him."Tell Sharky your true tale of IT life at Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!. You'll score a sharp Shark shirt if I use it. Comment on today's tale at Sharky's Google+ community, and read thousands of great old tales in the Sharkives.Get Sharky's outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.