> This is where I don't understand. How can simply knowing if a file exists or > not be a security concern? I admit to being ignorant of this because a user in > z/OS can generally get a listing of the names of all the data sets > (files) which exist on a z/OS system even if they cannot read them.
I'd speculate that if you're really running in a secure environment, the system isn't supposed to disclose ANYTHING about information that you're not explicitly permitted to interact with. The setgid thing is a crude attempt to implement that on a system that doesn't really have granular privileges -- you have to be in group XXX to get at the information is pretty much the best you can do. If you're using SELinux and it's properly set up, then the system won't even acknowledge the existence of the files/directories without explicit permission. If you can't find it, you can't attack it. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
