Re: harden-clients idea
i reckon that the real point is: if your users have access to the network
from their account with whatever tools or have access to an editor and gcc,
all of your efforts are gone: just need to use your own copy of whatever_tool_they_like.
If you want to avoid them to go some places, simply use the OUTPUT
table and possibly the match with UID (i think) for exemple, or enforce this
policy on your firewall.
JeF
On Tue, Oct 08, 2002 at 12:47:32PM +0200, Kjetil Kjernsmo wrote:
> Hi folks!
>
> I just had an idea the other, er..., night, that still seemed smart when
> I woke up, so I figured I'll post it here in case it is... :-)
>
> The problem with e.g. telnet isn't really that it shouldn't be used for
> anything, but that it shouldn't be used by somebody. It is quite OK to
> use to check what the webserver responds to a particular request, for
> example. But, you wouldn't want ma to use it and send her password in
> cleartext.
>
> What I did was that I changed group ownership of /usr/bin/telnet.netkit
> to staff and made it executable for only root and staff. I figured,
> something like that could harden-clients do too, configurable through
> standard means.
>
> That way, people with correct privileges could still use telnet for
> sensible things, yet the admin would be warned if they did something
> very careless with other packages.
>
> Clever? :-)
>
> (I'm not currently subscribed to this list, please keep me on the CC)
>
> Best,
>
> Kjetil
> --
> Kjetil Kjernsmo
> Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
> kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
> Homepage: http://www.kjetil.kjernsmo.net/
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
-> Jean-Francois Dive
--> jef@linuxbe.org
There is no such thing as randomness. Only order of infinite
complexity. - _The Holographic Universe_, Michael Talbot
Reply to: