Re: A question about Knark and modules

To: debian-security@lists.debian.org
Subject: Re: A question about Knark and modules
From: Ethan Benson <erbenson@alaska.net>
Date: Tue, 19 Jun 2001 15:50:24 -0800
Message-id: <[🔎] 20010619155024.O417@plato.local.lan>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 871yog2u7s.fsf@hackerhue.ddts.net>; from hackerhue@geek.com on Tue, Jun 19, 2001 at 12:35:51PM -0600
References: <_dHYHB.A.a0.sopL7@murphy> <p0432040db754b69b642f@[192.168.1.2]> <[🔎] 20010619003405.C417@plato.local.lan> <[🔎] 871yog2u7s.fsf@hackerhue.ddts.net>

On Tue, Jun 19, 2001 at 12:35:51PM -0600, Hubert Chan wrote:
> >>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:
> 
> Ethan> passwd not being able to update /etc/shadow would be a very bad
> Ethan> thing since users would be unable to change thier own passwords.
> Ethan> users need to be encouraged to change thier passwords, not
> Ethan> discouraged.
> 
> Off topic, but I'm just wondering if there has ever been any though to
> putting each user's information in a separate file.  So if I had users
> "foo" and "bar", then I would have files /etc/passwd.d/foo and
> /etc/passwd.d/bar (or something like that), with /etc/passwd.d/foo only
> read/writable by user foo (and root), and /etc/passwd.d/bar only
> read/writable by user bar (and root).

um

GROSS!!!

sorry.  

> This way, the login programs would still need to be SUID root (but I
> don't think there's any way around that, since they need to launch a
> shell under different UID's), but programs such as passwd would not,
> since user foo (and root) already have permissions to his password file.

echo 'eb::0:0:Ethan Benson:/home/eb:/bin/bash' > /etc/passwd.d/eb

login wheeeee r00t!

> The only problems I could think of is that it would eat up a chunk of
> inodes (but I don't know of anyone who's running short on inodes), and
> we'd have a lot of internal fragmentation in the filesystem (which
> shouldn't be too much of a problem, with disk space so cheap).  If all
> the login programs use PAM, then creating such a scheme won't break any
> programs (hopefully).

it would be a nightmare to administer. 

> Ethan> i don't think you can really modify passwd to be that granular
> Ethan> about ssh vs other methods of access.
> 
> OK, back on topic... could you modify PAM?  Do all login programs in
> Debian use PAM now?

i don't think its a matter of modifying things, its a matter of
detecting ssh vs other forms of access is really impossible.  unless
you trust the utmp file maybe, even that doesn't really help.  

when you have uid=0 you have uid=0 nothing cares where it came from,
it just is.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgplKqdeVoRNx.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: A question about Knark and modules
  - From: Hubert Chan <hackerhue@geek.com>

References:
- Re: A question about Knark and modules
  - From: Christian Jaeger <christian.jaeger@sl.ethz.ch>
- Re: A question about Knark and modules
  - From: Ethan Benson <erbenson@alaska.net>
- Re: A question about Knark and modules
  - From: Hubert Chan <hackerhue@geek.com>

Prev by Date: Re: gnupg problem
Next by Date: My logs are full!!
Previous by thread: Re: A question about Knark and modules
Next by thread: Re: A question about Knark and modules
Index(es):
- Date
- Thread