Date: Mon, 27 Dec 1999 00:03:20 +0100 (CET) From: Oliver Fromme <olli@dorifer.heim3.tu-clausthal.de> To: freebsd-questions@FreeBSD.ORG Subject: Re: "yes" Message-ID: <199912262303.AAA16632@dorifer.heim3.tu-clausthal.de>
next in thread | raw e-mail | index | archive | help
Chris Byrnes wrote in list.freebsd-questions:
> What is the purpose of the "yes" command? I have not seen anything
> useful that uses it.
>
> I have, however, seen people abuse it.. i.e: "yes poop > your-drive-is-full"
>
> It's 700'd root right now, but that's not the point.
You did WHAT?!?
Please excuse me for a minute while I roll on the floor
laughing...
Sorry. Seriously. If you think that /usr/bin/yes is a
dangerous utility that can be used to fill your disk, then
you should also chmod 700 a lot of other programs on your
system, including /bin/cat, /bin/echo, /bin/dd, /bin/sh and
almost everything else. Did you even care to add the -s
flag to your syslogd? If you didn't, then you have a nice
remote disk filling service... ;-)
/usr/bin/yes is a tool that can be used to pipe (repetitive)
answers into programs that request user input. For example,
imagine there's a program ``foo'' which might ask for one or
more confirmations during execution ("Input bratwurst contains
unexpected kartoffelknödel -- want me to continue [y/n]?").
If you want to use that program in a script, a cron job, a
Makefile or anything like that which is non-interactive, you
can use /usr/bin/yes to satisfy those confirmations (like
"yes | foo").
Regarding your fear of someone filling the disk: you don't
even need any external tool for that. The shell is enough
(``echo'' is a built-in command of most shells):
while :; do echo hühnersuppe >> foobar; done
You cannot really 100% prevent this kind of denial-of-service
attack, but there are a few points that help:
- Partition your disks in such a way that an attack like that
cannot do serious damage. That is, put all user-writable
directories on separate partitions (home, /tmp, /var/tmp and
possibly others).
- Use disk quotas ("apropos quota" should get you started).
- Create appropriate usage policies. Make it perfectly clear
that any abuse and attacks will result in removal of the
offending accounts.
If a user wants to run a denial-of-service attack against your
machine, he/she will probably not do this by creating large
files (except if he/she is a completely clueless idiot). If
this happens, you can easily see to whom the big files belong,
and ``rm'' and ``vipw'' (or ``rmuser'') are your friends.
Having said that, I have to add that it is usually relatively
trivial for local users (i.e. users with a shell account) to
run denial-of-service attacks. Using disk quotas, process
limits etc. are ways to reduce the risk, but there's definitely
no 100% reliable way (unless you don't care about the box being
usable at all). Making /usr/bin/yes inaccessible is certainly
not a good way to do it -- It does not improve security, and it
might even break some scripts (e.g. some configure scripts
check for ``yes'', for whatever reason). Even OpenBSD has a
usable /usr/bin/yes. ;-)
Regards
Oliver
--
Oliver Fromme, Leibnizstr. 18/61, 38678 Clausthal, Germany
(Info: finger userinfo:olli@dorifer.heim3.tu-clausthal.de)
"In jedem Stück Kohle wartet ein Diamant auf seine Geburt"
(Terry Pratchett)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912262303.AAA16632>