[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A question about Knark and modules



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:

Ethan> passwd not being able to update /etc/shadow would be a very bad
Ethan> thing since users would be unable to change thier own passwords.
Ethan> users need to be encouraged to change thier passwords, not
Ethan> discouraged.

Off topic, but I'm just wondering if there has ever been any though to
putting each user's information in a separate file.  So if I had users
"foo" and "bar", then I would have files /etc/passwd.d/foo and
/etc/passwd.d/bar (or something like that), with /etc/passwd.d/foo only
read/writable by user foo (and root), and /etc/passwd.d/bar only
read/writable by user bar (and root).

This way, the login programs would still need to be SUID root (but I
don't think there's any way around that, since they need to launch a
shell under different UID's), but programs such as passwd would not,
since user foo (and root) already have permissions to his password file.

The only problems I could think of is that it would eat up a chunk of
inodes (but I don't know of anyone who's running short on inodes), and
we'd have a lot of internal fragmentation in the filesystem (which
shouldn't be too much of a problem, with disk space so cheap).  If all
the login programs use PAM, then creating such a scheme won't break any
programs (hopefully).

Ethan> i don't think you can really modify passwd to be that granular
Ethan> about ssh vs other methods of access.

OK, back on topic... could you modify PAM?  Do all login programs in
Debian use PAM now?

- -- 
Hubert Chan <hackerhue@geek.com> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD  6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net.   Please encrypt *all* e-mail to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7L5tUZRhU33H9o38RArQPAKDBFyBb+6fiIMPGTHTk0o3OnaUX3ACeJsf0
Uyrk7f931paQ+Nuf76efyo4=
=6nTM
-----END PGP SIGNATURE-----



Reply to: