Re: "Small" Bug

[Piotr Wachowiak <burzum@horyzont.net>]

hello,
 according to discussion, i was thinking about getting rid of passwd file.
I wonder if it is possible not to use one database file, which is
world-readable, but set of small files (records, tuples) in homedirs (i
know that homedir is defined in passwd - just thinking :) ). And, on the
other hand, it is possible to use database (SQL engine) to manage user
accounts. Main advantage of this solution is extended access control (as
far as i remember in oracle 7). Level-based access control can give
specified user (not supervisor)  ability to create, for example,
new user accounts (to do backup, etc). 
 IMHO the main question is: is it really important ?

sorry if this post wasnt helpful - I havent used hurd for a long time
(work work work :( )

btw - when playing with unix chmod and chown (and a bit C) i've created a
system w/o suid-root files visible for users (but they still have access
to login, mount, ping, etc). Have you ever tried to do something like it ?
I think it is too simple to work, so i am asking where i did wrong.


yours,

burzum
HTI 

On Wed, 15 Mar 2000, powder keg wrote:

-->>How do you compromise a box with a username but no password? I challenge 
-->>you:
-->>
-->>brinkmds@mailhost.ruhr-uni-bochum.de
-->>brinkmd@master.debian.org
-->>brinkmd@va.debian.org
-->>finnegan@users.sourceforge.net
-->>marcus@gnu.org
-->>
-->>Those are four user names on wholly different systems.
-->
-->How retarded.
-->
-->Yes, but you gave those to us.  Now, assuming these machines are running 
-->Hurd (which they're not) if we telnet to your machine and find someone who 
-->hasn't reset their default passwd...
-->
-->This is a lot different than sitting at a terminal with no mailing list, no 
-->computer, etc. and wondering, "hmm, where should I start?"
-->
-->No one is going to use the Hurd if you have some sort of nonsense like an 
-->open login shell.  It's an IS nightmare and it's clumsy, at best, pure 
-->stupidity at worst.  The more privileges to the unauthorized user, the more 
-->he can poke holes at the system.
-->
-->Why don't we make the passwords visible as well?  It's just tooooo difficult 
-->these days to retype a password again and, more than likely, most people 
-->don't have people looking over their shoulders anyway.
-->
-->Just because you want to break the rules of common sense to make a statement 
-->about your "it'll never happen" mentality doesn't mean we need to suffer 
-->with the possibility of compromising our systems.
-->
-->>Here is one for you: "root". Probably 90% of all machines have it.
-->
-->Yeah, but the root account doesn't usually have a simple password like the 
-->average user has (birthday, mother's maiden name, etc).  The root password 
-->isn't going to be posted on a monitor with a post-it note.
-->
-->>To close the case I make the following suggestion: Double the length of the 
-->>passwords from eight to sixteen. This has the same effect.
-->
-->This is the dumbest idea I've heard yet.  If people can't remember 8-letter 
-->passwords without scrawling it down in an obvious location, what makes you 
-->think they'll fare any better with 16-letter ones?
-->
-->
-->______________________________________________________
-->Get Your Private, Free Email at http://www.hotmail.com
-->
-->
-->-- 
-->To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
-->with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-->
-->