T 5.19 Abuse of user rights

An abuse of user rights occurs when a user deliberately uses privileges obtained with or without authorisation to harm the system or its users.

For technical reasons, users will often have higher or more extensive access rights than they actually need to do their jobs. These rights can be used to spy on data even when the work instructions prohibit such access.

Examples:

• On many Unix systems, the file /etc/passwd can be read by every user, which means they can access the personal data entered in this file. In addition, users can try to guess the encrypted passwords using a dictionary attack (see T 5.18 Systematic trying-out of passwords). When group rights are granted too generously, especially to system groups like root, bin, adm, news, or daemon, for example, it is easy to abuse these privileges to change or delete the files of other users.
  A storage administrator responsible for the administration of the hard disks in a z/OS system was able to read customer files thanks to the Operations attribute assigned to him by the RACF Administration so he could perform his administration tasks. The administrator used this access right to make unauthorised copies of the data.