原文链接:https://devblogs.microsoft.com/oldnewthing/20041122-00/?p=37233
If I had a nickel each time somebody asked for a feature that was a security hole…
如果每当有人要求加一个实际上是安全漏洞的功能,我就能得到一个镍币的话……
I’d have a lot of nickels.
那我应该早已攒下了很多钱。
For example, “I want a file that all users can write to. My program will use it as a common database of goodies.”
例如,『我想要一个文件,对所有用户可写,我的程序会用它来作为一个存放好东西的公用数据库。』
This is a security hole. For a start, there’s an obvious denial of service attack by having a user open the file in exclusive mode and never letting go. There’s also a data tampering attack, where the user opens the file and write zeros all over it or merely alter the data in subtle ways. Your music index suddenly lost all its Britney Spears songs. (Then again, maybe that’s a good thing. Sneakier would be to edit the index so that when somebody tries to play a Britney Spears song, they get Madonna instead.) [Minor typo fixed. 10am]
这就是一个安全漏洞。首先,这是一个很明显的拒绝服务攻击点,某用户以独占方式打开它,然后永远不关闭就可以了。此外这还是一个数据篡改漏洞,用户可以打开文件,然后将数据用0全部覆写,或者对数据做一点细微的变动,你的音乐库里所有 Britney Spears 的歌就突然全部消失了。(说实话,这样都还算好的,更加鬼鬼祟祟的人会修改索引,这样等下次有人想播 Britney Spears 的歌时,放出来的却会是 Madonna 的了。)
A colleague from the security team pointed out another problem with this design: Disk quotas. Whoever created the file is charged for the disk space consumed by that file, even if most of the entries in the file belong to someone else. If you create the file in your Setup program, then it will most likely be owned by an administrator. Administrators are exempt from quotas, which means that everybody can party their data into the file for free! (Use alternate data streams so you can store your data there without affecting normal users of the file.) And if the file is on the system partition (which it probably is), then users can try to fill up all the available disk space and crash the system.
安全团队的一位同事还指出了这种设计制造出的另一个麻烦:磁盘配额。谁创建了这个文件,谁就为此付出了与文件大小等同自己的磁盘配额,即便文件内容中大多数的条目都属于其他人。如果这个程序是在你的安装程序中创建的,那么这个文件的所有人大概率会是系统管理员(Administrator)。系统管理员是从磁盘配额管制中豁免的,意味着任何人都可以将任何数据写到这个文件里,而且还不受配额的限制。(如果使用交换数据流(译注:alternate data stream,个人认为译为『备用数据流』更佳,此处采用通行译法)的方式,你还可以将自己的数据存进交换数据流里,而不会影响到其他人的数据)。如果这个文件存放在系统分区中(大概率会是这样),那么用户就可以尝试耗尽剩余的磁盘空间,让系统崩溃。
If you have a shared resource that you want to let people mess with, one way to do this is with a service. Users do not access the resource directly but rather go through the service. The service decides what the user is allowed to do with the resource. Maybe some users are permitted only to increment the “number of times played” counter, while others are allowed to edit the song titles. If a user is hogging the resource, the server might refuse connections for a while from that user.
如果你有一项共享资源想放开给用户折腾,一种比较可行的做法是通过服务。用户需要通过服务而不是直接去访问这项资源,而服务决定了允许用户对这项资源的所作所为。例如,一些用户只有权限增加『已播放次数』的计数器,而另一些用户则可以编辑歌曲的标题等等。如果某个用户对这项资源的访问过于贪婪,服务器可以决定暂停对这个用户提供服务。
A file doesn’t give you this degree of control over what people can do with it. If you grant write permission to a user, then that user can write to any part of the file. The user can open the file in exclusive mode and prevent anybody else from accessing it. The user can put fake data in the file in an attempt to confuse the other users on the machine.
单一一个文件无法给予这种等级的控制,来管制用户可以对其进行的操作。如果你授予用户写入的权限,那用户就可以对文件的任何部分进行写入。用户可以以独占方式打开这个文件,从而阻止其他人对其的访问。用户甚至可以在文件中写入伪造的数据,借此使同一机器上的其他用户感到困惑。
In other words, the user can make a change to the system that impacts how other users can use the system. This sort of “impact other users” behavior is something that is reserved for administrators. An unprivileged user should be allowed only to mess up his own life; he shouldn’t be allowed to mess up other users’ lives.
换句话说,某个用户可以对系统做出变更,而这些变更会影响其他用户对系统的使用。这类『影响其他用户』的行为是保留给系统管理员的权力。没有特权的用户应当只被允许对其自己的生活瞎折腾,而不应被允许去折腾其他用户的生活。
Armed with this information, perhaps now you can answer this question posted to comp.os.ms-windows.programmer a few months ago.
了解了这一点之后,大概现在你就有资格去回答这个几个月前贴在comp.os.ms-windows.programmer上的问题了。
远嚣 Comment