Re: Re: Code Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry if i misread and put my reply in a wrong context.
but from how i read this question it is all about preventing a user to open
a terminal window.

if Mr. Nice is logged in then i assume he has all rights as the topic
starter is afraid Mr. ugly can look at his code.

as far as i know it is not common practice to work direct on a server and
have all rights and allow other people using that computer when connected
to the specific server.
Ethan also pointed out that he made a POS (Point of Sale) program to work
in that store. there are 2 account types: 1>admin  2>worker.

the worker should not have any rights and the admin account should only be
able to change/edit things within that program.
--------

i don't see why anyone (the admin included) would need to have access on
the stand alone server apart for maintainance duties to keep it all up and
running.
the server needs to be locked in a server room or another place that will
fit. but definately locked.

if someone can get on that server through a terminal it will mean something
has gone horrible wrong.

i am not sure if Ethan is trolling though. but if i understand his question
right and it's a honest question, it sounds kind of weird to me.

when i get an order to install a server, my first question would be like:
- who is going to use it?
- who has access to it?
- who need to have access to it?
- where will this server be placed? (server room, datacenter, store).

once the server is installed i have a root account, an admin account with
certain rights and i have made a couple of 'administrator groups' . the
programs like apache are in this group aswell. but this has nothing to do
with the administrator account from the POS.

so are we here talking about securing the code of the POS and its content
or are we talking about the basics of securing a Linux server?
if it is the latter, the Topic starter better read about how to secure his
server. btw, i'm wondering what his question has got to do with PHP and
databases :-/

in addition:

*as soon we talk about 'looking at code' and 'user is logged in as an
administrator with all rights to delete content' you will make ANY
administrator*
*nervous :) i know a couple of admins, trust me, they are paranoid and
won't trust anyone near their machines. not to speak about getting access
to a server!*


On Fri, Feb 13, 2015 at 6:28 PM, Guru <nagendra802000@xxxxxxxxx> wrote:

> Put a redirect code in www folder to your index page.
> On Feb 13, 2015 10:55 PM, "Karl DeSaulniers" <karl@xxxxxxxxxxxxxxx> wrote:
>
> > Set up a password or a salt that Mr. Nice has to call you to get and
> > expires on logout.
> >
> > Lol
> >
> > Best,
> > Karl
> >
> >
> > Sent from losPhone
> >
> > > On Feb 13, 2015, at 8:47 AM, erosenberg@xxxxxxxxxxxxxxxxxxxx wrote:
> > >
> > >
> > > Ethan,
> > > It seems like you're looking for a programmatic solution to a physical
> > > security problem. In the end, your most viable solution will likely
> > > be to train Mr. Goodguy to remove the key the same way he needs to
> > > remember his ATM card after a withdrawal. I've seen programmatic
> > > work-arounds to solve similar issues, but they have always ended up
> > > being significantly arduous for the end users...
> > > Respectfully,
> > > Joshua D. Arneson
> > > -----Original Message-----From: Ethan Rosenberg
> > > [mailto:erosenberg@xxxxxxxxxxxxxxxxxxxx] Sent: Friday, February 13,
> > > 2015 9:12 AMTo: php-db@xxxxxxxxx.netSubject: Re:  Code
> > > Security
> > > On 02/13/2015 02:58 AM, Karl DeSaulniers wrote:> Prevent THIS from
> > > ever happening.>> On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg
> > > wrote:>>> He asks Mr.[naive]Nice if he could look at the computer
> > > while it is logged in.>>> Otherwise, I would say an external key that
> > > has a salt stored on it that the user has to insert in the computer
> > > before the system can be accessed.> Like an access key card. Immediate
> > > shut down when tampered and/or removed.>> Just a stab in the dark
> > > though.>> Best,>> Karl DeSaulniers> Design Drumm
> > > Karl -
> > > Thanks.
> > > The key is already plugged in. Mr [Naive] Nice is using the computer,
> > > and is logged in. Mr. Ugly just want to "look at" the computer.
> > > Ethan--
> > > Joshua -
> > > My apologies for an HTML message.  That is all I have at work.
> > >
> > > How about this -
> > > Block access to Ctrl-Alt-Del for Mr. Nice.
> > > TIA
> > > Ethan
> > >
> > >
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux