[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About the login shell



On Tue, Aug 20, 2002 at 03:15:22AM +0200, Marcus Brinkmann wrote:
> On Tue, Aug 20, 2002 at 03:15:49AM +0200, Robert Millan wrote:
> > Do we have file permission bits for the unauthentificated user?
> 
> Yes.  And a bit to control if it should use those or the o bits.  Currently,
> the default is to use the o bits, but we are not sure if we shouldn't change
> that.  What you described is an option we have to consider.

Well i think we can reach something much more secure than the "all or nothing"
unix traditional approach, too.

Let's say i want to set a public console for html browsing; on unix, users
could easily find a shell escape in the browser (for example, lynx has an
option to pipe a download through a custom application), but on the GNU system
the browser could be set as the only application the guest user can execute.

But to get it really flexible this would need a large permission table,
though, where each file has a permission set for owner, each user and each
group. I don't know if this is scalable. Maybe some rulesets can be used to
define permissions instead.

-- 
Robert Millan

"5 years from now everyone will be running
free GNU on their 200 MIPS, 64M SPARCstation-5"

              Andrew S. Tanenbaum, 30 Jan 1992



Reply to: