Loki wrote:
That's not a stnadard tool. If I can use adduser or useradd via sude I can create a user with UID=0. If I can use passwd to change passwords I can change root's password.-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 20 Aug 2004, John Summerfield wrote:A user who can create users can do anything.Er, not true. A user who can sudo vi /etc/passwd can do anything. However, a user who can sudo /usr/local/bin/dedicated-user-creation-script cannot.
There _are_ safety measures one can take, of course, but to appreciate the need you need to know the risk.
A user who can install software can do anything.Mostly true.A user who can do restores can do anything.Not true. Yes, if you can sudo tar, you can do anything. But once again, sudo /usr/local/bin/dedicated-restore-script can't.
Again, I'l talking about standard tools. Sometimes, /usr/local/bin/dedicated-restore-script won't let me restore what I need if it prevents me from restoring anything.
A user who can do backups can make off with a copy of your secrets:-)Bah, who keeps secrets on unencrypted hard drives anyway? :)
Lotsa people:-) -- Cheers John -- spambait 1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/