Re: A question about Knark and modules
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:
Ethan> echo 'eb::0:0:Ethan Benson:/home/eb:/bin/bash' > /etc/passwd.d/eb
Ethan> login wheeeee r00t!
Hmm. Forgot about that. I guess that would be a bit of a security
hole. :-(
Ethan> it would be a nightmare to administer.
I don't think so. Does the administrator need to really do much with
the password database, once a user gets set up? If you want to audit
the database, you can always just do "cat /etc/passwd.d/* | less".
And the administrative programs (usermod, chsh, etc.) shouldn't be too
hard to modify. Is there anything else that you would want to do?
Well, obviously my proposed scheme wouldn't work (because of the
previously mentioned exploit), but the motivation behind the scheme was
to reduce the number of SUID programs (because if you don't need it to
be SUID, you're safer without it being SUID). Is there any (sane) way
of making it so that programs such as passwd, chsh, etc. don't need to
be SUID?
- --
Hubert Chan <hackerhue@geek.com> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7MDxWZRhU33H9o38RAvgXAJ0YwGVu0hCotTAcr6Z76EDtFKVu9ACeIXPa
PXhPZaZ2h89luwbg4cnxDig=
=cpsv
-----END PGP SIGNATURE-----
Reply to: