Re: strange result when typing wrong password
On Thu, Jun 06, 2002 at 09:24:35AM +0200, Niels Möller wrote:
> There are four more bits than the traditional rwxrwxrwx. And you want
> to do is modify those bits on /etc/passwd to say (i) processes that
> have no uid:s at all are not included in "others", and (ii) such
> processes are not allowed to access /etc/passwd.
You achieve this by setting bit S_IUSEUNK:
/* If the S_IUSEUNK bit is set, then the S_IUNKNOWN bits (see below)
control access for unknown users. If S_IUSEUNK is clear, then unknown
users are treated as "others" for purposes of access control. */
#define S_IUSEUNK 000000400000
and clearing the bits in S_IUNKNOWN:
/* Mask of protection bits for unknown users (no effective IDs at all). */
#define S_IUNKNOWN 000007000000
> But it's harder than it sounds, because chmod doesn't yet know about
> those bits. There have been some patches on the hurd-bugs mailing list.
But chmod knows about octal numbers! ;) So you can actually just calculate
the right octal number and pass it to chmod on the command line, IIRC.
Something like
# chmod 0400644 /etc/passwd
should do the job (untested!).
> Also the default for the bit that decides whether or not no-uid
> processes are included in "others" isn't really decided yet.
Yep, that's still open. The current behaviour is documented above.
> And at last, if you have the login shell only on the console (that's
> the default behavior, iirc),
Unfortunately not. I didn't bother to figure out yet which place I have to
change to make it use /bin/loginpr on incoming connections, rather that
/bin/login. Or should we swap the programs and configure the local console
to use something different than /bin/login? Someone please send a patch! :)
Thanks,
Marcus
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann GNU http://www.gnu.org marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de
--
To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: