Re: About the login shell
On Tue, Aug 20, 2002 at 03:15:22AM +0200, Marcus Brinkmann wrote:
> On Tue, Aug 20, 2002 at 03:15:49AM +0200, Robert Millan wrote:
> > Do we have file permission bits for the unauthentificated user?
>
> Yes. And a bit to control if it should use those or the o bits. Currently,
> the default is to use the o bits, but we are not sure if we shouldn't change
> that. What you described is an option we have to consider.
Well i think we can reach something much more secure than the "all or nothing"
unix traditional approach, too.
Let's say i want to set a public console for html browsing; on unix, users
could easily find a shell escape in the browser (for example, lynx has an
option to pipe a download through a custom application), but on the GNU system
the browser could be set as the only application the guest user can execute.
But to get it really flexible this would need a large permission table,
though, where each file has a permission set for owner, each user and each
group. I don't know if this is scalable. Maybe some rulesets can be used to
define permissions instead.
--
Robert Millan
"5 years from now everyone will be running
free GNU on their 200 MIPS, 64M SPARCstation-5"
Andrew S. Tanenbaum, 30 Jan 1992
Reply to: