>From:    Jim Wowchuk <[log in to unmask]>
>Subject: Re: ftp of image database files
 
>Last week I solicited comments from the SigSysMan list about security
>concerns (some more would be appreciated).  Programs like lzw and quark and
>others
 
 ^^^^ Add FUTIL.UTIL.DISC that comes in with Omnidex from DISC.  Lock it up!
 
>have a security risk associated with their use since they can access
>privileged files and copy them to non-privileged files.
 
 COMMENTS:
 
 In the age of NS/open and WRQ file transfers the target should be USER
LOGON security combined with GROUP/ACCOUNT capabilities.  Any semi-skilled
hacker could down load their own version of FUTIL or any other breakin utility.
 
 So the focus should be USER with access to accounts and groups on the
system with appropriate capabilities.
 
 For example, we put a password on FUTIL but the group remains with PM
capability.  Should the UTIL.DISC group be eliminated?
 
 While I got people's attention, how does the majority handle those nasty
database password problems?  If you open 12 databases on your system, you
cannot expect the user to type 12 passwords on the terminal.  Most systems
embed db passwords into program code or read them from a file.
 
----------------------------------------------------------------
Eric J. Schubert                    Senior Data Base Analyst
Office of Information Technologies  Univ of Notre Dame, IN USA
(219) 631-7306                      http://www.nd.edu/~eschuber