Re: coupe things RedHat does well and Debian should too
On Fri, 5 May 2000, Sergey V Kovalyov wrote:
> One thing is pam_console module that allows to change some file ownership
> and permission for users logged in from console. It can be used to enable
> access to removable media and audio. Ohterwise you either have to give
> access to everybody at once ar to root only.
This is really dangerous because anyone who logs into the console can
create a setgid auido/cd/whatever executable and always recover their
privilages. So you are better just to add everyone to the group file, same
difference.
> The second feature is pam_xauth module that is used to pass xauth keys
> when duing su. Very convenient. Recall how often we get questions about X
> connection refused after su.
This is also crazy. If you su to root the best thing to do is to set
XAUTHORITY=/home/foo/.Xauthority. If you su to another user the sane thing
to do is to use ssh and secure X forwarding. Otherwise you leak your X
cookie to potentially evil users.
Jason
Reply to: