lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev editing forms (was forms)


From: Philip Webb
Subject: Re: lynx-dev editing forms (was forms)
Date: Wed, 15 Jul 1998 06:41:31 -0400 (EDT)

980715 David Woolley commented on my <RANT> ... </RANT>: 
>> anonymous users, who might somehow use an editor to attack people;
> If someone can get a shell out of an anonymous Lynx account,
> they have the potential to generate a very large volume of spam
> before they get stopped (this doesn't need any more than shell access)

thanx for pointing this out: that does sound like the equivalent
of giving materials for nukes to the N Koreans,
rather than simply leaving matches around an arsonist.

> other weaknesses in the system, e.g. the Lynx temporary file problems,
> to gain access to other accounts, including root.

that's where i tend to be very hard-nosed & tell sysadmins
they shouldn't allow anonymous users on a machine with shell users:
if they do, they should accept the consequences
& Lynx should not attempt to protect them
if the alternative is denying useful devices to normal Lynx users.
 
> Lynx needs to be able to provide full function with only internal editors,
> even if it also provides access to external editors
> in an environment where shell access is legitimately available.
 
this is the source of my irritation:
there are very good reasons why normal Lynx users should be able
to use an external editor to prepare forms
-- which would allow insertion of pre-edited files too --
& it should NOT be considered a valid objection
that anonymous users could abuse this facility.
if there is a simple way to deny anonymous users access to the editor,
then there is no problem, but if it's not straightforward & we have to choose,
we should put the interests of normal users before those of sysadmins
who allow anonymous access to their machines.

isn't anonymous access more of a convenience than an act of charity?
a sysadmin can give free accounts to users whose ID he knows
& can install security software to track down abusive hackers.
if the sysadmin doesn't want the administrative overhead
or the users don't want to have to sign up in advance,
normal Lynx users shouldn't have to be inconvenienced as a result.

-- 
========================,,============================================
SUPPORT     ___________//___,  Philip Webb : address@hidden
ELECTRIC   /] [] [] [] [] []|  Centre for Urban & Community Studies
TRANSIT    `-O----------O---'  University of Toronto

reply via email to

[Prev in Thread] Current Thread [Next in Thread]