Re: A question about Knark and modules
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Ethan" == Ethan Benson <email@example.com> writes:
Ethan> passwd not being able to update /etc/shadow would be a very bad
Ethan> thing since users would be unable to change thier own passwords.
Ethan> users need to be encouraged to change thier passwords, not
Off topic, but I'm just wondering if there has ever been any though to
putting each user's information in a separate file. So if I had users
"foo" and "bar", then I would have files /etc/passwd.d/foo and
/etc/passwd.d/bar (or something like that), with /etc/passwd.d/foo only
read/writable by user foo (and root), and /etc/passwd.d/bar only
read/writable by user bar (and root).
This way, the login programs would still need to be SUID root (but I
don't think there's any way around that, since they need to launch a
shell under different UID's), but programs such as passwd would not,
since user foo (and root) already have permissions to his password file.
The only problems I could think of is that it would eat up a chunk of
inodes (but I don't know of anyone who's running short on inodes), and
we'd have a lot of internal fragmentation in the filesystem (which
shouldn't be too much of a problem, with disk space so cheap). If all
the login programs use PAM, then creating such a scheme won't break any
Ethan> i don't think you can really modify passwd to be that granular
Ethan> about ssh vs other methods of access.
OK, back on topic... could you modify PAM? Do all login programs in
Debian use PAM now?
Hubert Chan <firstname.lastname@example.org> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----