On Sat, May 06, 2000 at 01:08:26AM -0400, Sergey V Kovalyov wrote: > > No, the way it works is it changes the ownership of the /dev/fd* etc. to > you. No extra groups are given you so you can't create a setgid file. You > can't really do anything except to read and write from/to those devices. > It should be Ok. its not, see BugTraq, the user can simply leave a file descriptor open and retain privileges even after the device is chowned back. you might as well just use the group and make trusted users full time members, if you cannot trust them to have full time access to the device you are granting then you cannot trust them to access it at all. now if linux had revoke() maybe this would be workable. > > This is also crazy. If you su to root the best thing to do is to set > > XAUTHORITY=/home/foo/.Xauthority. > > The problem with XAUTHORITY is when the home dirs are mounted via NFS with > rootsquish (or whatever the word is), so the root can't read that heh root squish i like that ;-) the correct term is root squash. > xauthority file. So you have to manually > xauth list > copy and paste the appropriate line into > xauth add > Pretty annoying. do you really need root squash on /home? it buys very little security since root may switch to whatever uid he wants. only root owned files are protected this way, nothing else. IMO mounting the filesystem nosuid,nodev everywhere and leaving root squash off is a reasonable solution (so long as /home is its own partition). NFS == No File Security. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpY_8ob1Ieuo.pgp
Description: PGP signature