Re: Administration question
>
> What would be the best way to enable her to run the shutdown command, without
> creating a giant security hole which might bite me in the @*% should this
> machine ever become a gateway? My thoughts up to this point:
>
> 1) Creating a group consisting of my wife and myself, and doing a setuid and
> chmod 710 on the shutdown command itself, and changing group ownership to the
> group with me and her in it.
>
Not a bad idea - though anyone who can crack into the system *could* gain
access to this one commend.
> 2) Creating a group consisting of my wife and myself, and writing a script
> which executes the shutdown command, then setting the ownership for the script
> to root, group ownership on the script to our group, and doing a setuid on just
> the script.
>
Linux doesn't support suid on scripts - it's *that* big of a security hole!
A wrapper program would be more like it.
> It seems to me that the second option is the best as I don't have to monkey
> around with the permissions on the command. Is the second any more of a
> security concern than the first, or, as I assume, less? Say my wife's user
> password is ridiculously easy to guess; do these give the same amount of
> system access to the person who cracks into her account?
>
> Does anyone know of a better way to do this?
>
Yes! Try using sudo or super. They allow ordinary users to have access to
specific system level programs without monkeying around with permissions.
I've used sudo for a long time and am happy with the access it allows.
Super may be even easier to use, I'm not sure.
Another way that I've seen systems handle this - not advocating it - just
mentioning... is to have a shutdown user (w/ a password of course) that
runs the shutdown command upon login. If this user has root equivalent
authority (the SCO systems I've seen with this are user=0, group=0...
shudder...) then just logging in will bring the system down. It's an
option - not a very good one, but an option.
Chuck
--
Chuck Stickelman, Owner E-Mail: <stick@richnet.net>
Practical Network Design Voice: (419) 529-3841
9 Chambers Road FAX: (419) 529-3625
Mansfield, OH 44906-1302 USA
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: