Re: coupe things RedHat does well and Debian should too
On Fri, 5 May 2000, Jason Gunthorpe wrote:
> On Fri, 5 May 2000, Sergey V Kovalyov wrote:
>
> > One thing is pam_console module that allows to change some file ownership
> > and permission for users logged in from console. It can be used to enable
> > access to removable media and audio. Ohterwise you either have to give
> > access to everybody at once ar to root only.
>
> This is really dangerous because anyone who logs into the console can
> create a setgid auido/cd/whatever executable and always recover their
> privilages. So you are better just to add everyone to the group file, same
> difference.
No, the way it works is it changes the ownership of the /dev/fd* etc. to
you. No extra groups are given you so you can't create a setgid file. You
can't really do anything except to read and write from/to those devices.
It should be Ok.
> > The second feature is pam_xauth module that is used to pass xauth keys
> > when duing su. Very convenient. Recall how often we get questions about X
> > connection refused after su.
>
> This is also crazy. If you su to root the best thing to do is to set
> XAUTHORITY=/home/foo/.Xauthority.
The problem with XAUTHORITY is when the home dirs are mounted via NFS with
rootsquish (or whatever the word is), so the root can't read that
xauthority file. So you have to manually
xauth list
copy and paste the appropriate line into
xauth add
Pretty annoying.
Sergey.
Reply to: