[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev patch to add description of extended INCLUDE syntax to
|
From: |
Larry W. Virden |
|
Subject: |
Re: lynx-dev patch to add description of extended INCLUDE syntax to |
|
Date: |
Wed, 2 Jun 1999 07:17:13 -0400 (EDT) |
From: Henry Nelson <address@hidden>
>On a related theme, I was worried somewhat by Vlad's comment on mine:
>Henry:
>"Security risk features have never been allowed to be overridden by defines
>in lynx.cfg from the compile-time selections."
>Vlad:
>I don't think it's so ^. If the values of these settings are not allowed to
>override compile-time selections, then why do they exist?
I would hope that it is the case that one can never _lighten_ a lynx
installation's restrictions - only tighten them.
That is to say, an admin who compiles restrictions into lynx should be
assured that there is nothing a user can do with that particular binary
to get more privleges.
Thus, if one wants to vary privleges, one compiles no restrictions into
the lynx binary, and then installs the restrictions as a configuration
setting in the appropriate place - not in the site's lynx.cfg file, but
in a particular user's lynx.cfg . No action - including multiple
settings in one cfg file, or INCLUDEd files, should ever increase the
amount of privleges one gets. Any action other than that is a security
risk.
--
Larry W. Virden <URL: mailto:address@hidden>
<URL: http://www.purl.org/NET/lvirden/> <*> O- "No one is what he seems."
Unless explicitly stated to the contrary, nothing in this posting should
be construed as representing my employer's opinions.