PowerSC

 View Only

A request to stop an easy workaround which allows users to run untrusted scripts

  • 1.  A request to stop an easy workaround which allows users to run untrusted scripts

    IBM Champion
    Posted Tue April 05, 2022 11:27 PM
    Hi,
    I opened an RFE/idea a while back, but had little support for the idea.  However recently a colleague in Europe ran into the same issue and the development team is looking at it again.  If you think this is an issue, we would welcome you adding your support to the request (AIX/PowerSC Trusted Execution (TE) | IBM Power Ideas Portal).

    Background
    Briefly you can enable TE CHKSCRIPT and still execute the script using a shell, for example
    Running the script:
        ./<my_script>
    will be checked by TE, whereas running:
        ksh ./<my_script>
    will not be checked.

    My concern is that administrators will believe that they have secured the scripts in their system, but this can be easily worked around

    I have also added the idea that configuration files should be able to be added the the TSD and checked with they are read.  This I believe will add extra protection to applications / daemons from reading modified configuration files.
    .
    I hope that you can support this improvement.
    Cheers,
    Red.

    ------------------------------
    ========================
    Antony Steel (Red)
    Belisama Pte. Ltd.
    antony.steel@belisama.com.sg
    ------------------------------