[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Login shell (was: Small Bug)



On Fri, Mar 17, 2000 at 11:20:58AM +0100, Niels Möller wrote:
> > OK, there is the alternative between introducing a more complex group system
> > or setting a forth set of permission bits correctly for the whole system.
> > The non-logged-in permissions will have to be set by the package
> > maintainers, but if we really need that functionality offered by the default
> > Debian system, we could just as well make a more complex group system part
> > of the policy.
> 
> I think you will find that quite difficult. It would take a draft of
> such a system to convince me otherwise.

General solution: decide for each file which set of users needs access, see
whether you need to create a new group for that, set the file to the
corresponding group and remove all "a" permissions. That's not at all
elegant yet, but it proves that it is possible. On a reasonable system, it
should need only one additional group that contains everyone but anonymous. 

Perhaps it would make things much more transparent if we would allow groups
to contain other groups (recursively) Perhaps if there were a possibility to
have something like:

	group1:x:100:user1,user2
	group2:x:101:user3,user4,%group1

in your /etc/group, the whole setup would be much more comfortable.

> Do you know of any reasonably secure Unix system that has an enabled
> guest account? I don't but perhaps I'm just ignorant. I believe it is
> too much work to make a guest account secure to make it a serious
> alternative.

We will have just the same work making the anonymous user secure.

-- 
-- ______________________________________________________
-- JESUS CHRIST IS LORD!
--          To Him, even that machine here has to obey...
--
-- _________________________________Norbert "Nobbi" Nemec
-- Hindenburgstr. 44  ...  D-91054 Erlangen  ...  Germany
-- eMail: <nobbi@cheerful.com>   Tel: +49-(0)-9131-204180


Reply to: