|
| From: | Paul Crawford |
| Subject: | Re: [Pan-users] Re: Save attachment file permissions |
| Date: | Sun, 22 Feb 2009 19:30:02 +0000 |
| User-agent: | Thunderbird 2.0.0.19 (X11/20090105) |
Steven D'Aprano wrote:
Windows doesn't understand Unix/Linux file systems, so it can't see Unix permissions natively. However, Windows does support NTFS, which uses an extraordinarily rich set of Access Control Lists capable of emulating anything Unix permissions can do, and far, far more. Most people don't use anywhere near the full set of ACLs, probably because they're quite complicated and they're a lot of them:
Sadly the default is for 'old style' behaviour so no execute permissions used, but they *could* be.
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.htmlOn the other hand, FAT-xx file systems don't have any security permissions at all.
One thing that bothers me is the way LINUX seems to default to execute-enabled on such drives (most likely USB sticks). OK, you might want to run stuff off a CD for installing, but given the ease of viruses in the world of Windows to propagate using either autorun or user gullibility it would be far better if any USB drives were mounted with the 'noexec' option. Any ideas of how to configure that?
And on the gripping hand, some Linux file systems (ext2, ext3, and others) have "extended attributes" which go beyond the POSIX standard. I don't know if samba uses them to correspond to NTFS ACLs, but I understand the SELinux uses them extensively.http://www.linux.com/feature/114027 http://wiki.linuxquestions.org/wiki/Extended_attributes
Way too much - an opportunity for folk to put *anything* in there to the point of loosing data when it is copied to a system that can't understand those attributes.
That's probably of academic interest only, given that most Windows users run with full admin privileges all the time.
I do on my W2k box as so much just won't work properly otherwise, and yes I know that is security suicide!
Final and most important point with respect to the original posting, has CERT and/or the LINUX distributors been told of the flaw and our patch to fix it?
| [Prev in Thread] | Current Thread | [Next in Thread] |