* Grzegorz Pawel Szostak said: > > or FS? If you are soo worried about it, don't use dynamically linked > > binaries... But either way, I think that what you're talking about is an > > unjustified paranoia - if you don't want you users to know who's on the > > system, close each and every one of them in a chroot jail or deny shell > > access. > No, try free.net.pl, there are free shell accounts, they have such a > module and ln wont help you :) A quick look at it proves that they use exactly what I suggested before - the db passwd access, a fragment of their nsswitch.conf: # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: passwd: db #shadow: db files nisplus nis group: files db #passwd: files nisplus nis shadow: files nisplus nis #group: files nisplus nis #hosts: db files nisplus nis dns hosts: files nisplus nis dns Now, below is just a few lines with the user accounts on the server (I removed the real world names, to protect their identity): abcdefg:x:23361:180::/home/stillfree/abcdefg:/bin/tcsh aadi:x:18232:180::/home/stillfree/aadi:/bin/tcsh compias:x:12003:180::/home/nextfree/compias:/bin/tcsh wieczo76:x:5284:180::/home/free/wieczo76:/bin/tcsh greyman:x:540:180::/home/free/greyman:/bin/tcsh inferno:x:5701:180::/home/free/inferno:/bin/tcsh OK,that's enough. Their database has 11888KB, I don't have time to browse it all :)). Did I prove to you that your precious module is useless? Besides, they probably don't use it. As far as I can tell it's a standard RH 6.x system. Setting the /etc and /lib modes to 711 doesn't really help much. Again, security by obscurity is not really what security is about.... > > solution for every (un)imaginable shell? You said you have no time - but you > > are willing to waste time IMO. > > > So what is your sollution ? PAM. marek
Attachment:
pgpOrbAl5iYWY.pgp
Description: PGP signature