[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Admin for E-MAIL users only

On Thu, 2002-07-04 at 22:57, Russell Coker wrote:

> Delegating administrative access to one tree of an LDAP directory is easy.  
> Preventing it from being used maliciously is another issue.  A hostile user 
> could create a new LDAP entry with a UID of 0...

But if you configure files lookups before db lookups the uid 0 entry in
LDAP or SQL would never be used right?  Snippet from /etc/nsswitch.conf:
passwd:         files mysql
shadow:         files mysql
group:          files mysql


> Restricting someone who has UID=0 in a chroot environment from taking over 
> the rest of the machine is easy enough though...

Yes, based on your talk today I guess you mean SE Linux.  What about
user mode Linux, have you ever looked at it's potential use as a chroot
environment?

Fraser


-- 
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: