Re: Rationale
On Mon, 2003-12-01 at 13:49, John Smith wrote:
> thanks for your remarks, they answer most of my questions,
> as did a thorough grep session on debian-policy, (thanks Paul). What
> I'm bothered with is that convenience takes precedence over security
> in this case. The example of an [evil/compromised] application
> manager with write access to one of the /local directories, who
> inserts a trojan named passwd is probably obvious to all. <Asbestos>
> Two other os-es that I'm thoroughly familiar with, Netware and
> Windows, insert for this exact reason the system paths before the
> local paths. </Asbestos>
Hmm, being that windows always puts . first in the path, I would ignore
any other path-related "security features" they put into place.
The real answer to your question is: don't put users you don't trust in
the staff group... seems pretty simple.
As for login.defs: (from the manpage)
"Much of the functionality that used to be provided by the shadow
pass‐word suite is now handled by PAM. Thus, /etc/login.defs is no
longer used by programs such as login(1), passwd(1) and su(1). Please
refer to the corresponding PAM configuration files instead."
--
Mark Roach
Reply to: