On Tue, Jun 19, 2001 at 12:35:51PM -0600, Hubert Chan wrote: > >>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes: > > Ethan> passwd not being able to update /etc/shadow would be a very bad > Ethan> thing since users would be unable to change thier own passwords. > Ethan> users need to be encouraged to change thier passwords, not > Ethan> discouraged. > > Off topic, but I'm just wondering if there has ever been any though to > putting each user's information in a separate file. So if I had users > "foo" and "bar", then I would have files /etc/passwd.d/foo and > /etc/passwd.d/bar (or something like that), with /etc/passwd.d/foo only > read/writable by user foo (and root), and /etc/passwd.d/bar only > read/writable by user bar (and root). um GROSS!!! sorry. > This way, the login programs would still need to be SUID root (but I > don't think there's any way around that, since they need to launch a > shell under different UID's), but programs such as passwd would not, > since user foo (and root) already have permissions to his password file. echo 'eb::0:0:Ethan Benson:/home/eb:/bin/bash' > /etc/passwd.d/eb login wheeeee r00t! > The only problems I could think of is that it would eat up a chunk of > inodes (but I don't know of anyone who's running short on inodes), and > we'd have a lot of internal fragmentation in the filesystem (which > shouldn't be too much of a problem, with disk space so cheap). If all > the login programs use PAM, then creating such a scheme won't break any > programs (hopefully). it would be a nightmare to administer. > Ethan> i don't think you can really modify passwd to be that granular > Ethan> about ssh vs other methods of access. > > OK, back on topic... could you modify PAM? Do all login programs in > Debian use PAM now? i don't think its a matter of modifying things, its a matter of detecting ssh vs other forms of access is really impossible. unless you trust the utmp file maybe, even that doesn't really help. when you have uid=0 you have uid=0 nothing cares where it came from, it just is. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgplKqdeVoRNx.pgp
Description: PGP signature