[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian for kids

Looks like I was too late.  After sending the email I realized what I
said.  It was an original thought before discarding because the commands
are not run as root.  I agree with the using special groups for some of
the commands.  I should also not post late at night after a long day.


On Wed, 2 Feb 2000, Ethan Benson wrote:

> On Wed, Feb 02, 2000 at 11:44:30PM -0500, Alex Dukat wrote:
> > 
> > 
> > On Wed, 2 Feb 2000, Ethan Benson wrote:
> > 
> > > auth       requisite	 pam_listfile.so item=user sense=deny \
> > > 	file=/etc/deny.passwd onerr=succeed
> > > 
> > > to the begining /etc/pam.d/passwd, and add any users who can't seem to
> > > use passwd command right to /etc/deny.passwd (or whatever).  multiuser
> > > compatible!
> > 
> > As a start to kid proofing a machine, one could remove world permissions
> > on all potentially dangerous commands, passwd, chmod, chown, etc.  Then
> > use sudo to return permission to those who are responsible.
> well chown can only be used by root, so its not a problem, chmod can
> only affect there own files, but it could create a temporary problem i
> suppose.. (chmod -R 0 .) passwd like i said need not have its
> permissions changed since access can be better controlled through use
> of PAM.
> using sudo to give the permissions back is not a good idea however,
> chmod for example does not run as root, its not suid, allowing someone
> to use sudo with chmod allows them to run it as root and change
> permissions on anything.  a better option for chmod would have to be
> using a special group and changing its permissions to 750.  (though if
> they really wanted it back they can download and compile chmod from
> source.
> -- 
> Ethan Benson

Reply to: