[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: coupe things RedHat does well and Debian should too

On Fri, 5 May 2000, Sergey V Kovalyov wrote:

> One thing is pam_console module that allows to change some file ownership
> and permission for users logged in from console. It can be used to enable
> access to removable media and audio. Ohterwise you either have to give
> access to everybody at once ar to root only.

This is really dangerous because anyone who logs into the console can
create a setgid auido/cd/whatever executable and always recover their
privilages. So you are better just to add everyone to the group file, same
difference.

> The second feature is pam_xauth module that is used to pass xauth keys
> when duing su. Very convenient. Recall how often we get questions about X
> connection refused after su.

This is also crazy. If you su to root the best thing to do is to set
XAUTHORITY=/home/foo/.Xauthority. If you su to another user the sane thing
to do is to use ssh and secure X forwarding. Otherwise you leak your X
cookie to potentially evil users.

Jason
Reply to: