Re: Understanding /root, /usr, /var and so on

[Mike McCarty <Mike.McCarty@sbcglobal.net>]

Gene Heskett wrote:
> On Sunday 26 March 2006 02:16, Matthew R. Dempsky wrote:
>
> > On Sun, Mar 26, 2006 at 12:46:14AM -0500, Gene Heskett wrote:
> >
> > > Giving everybody access to ifconfig and its ilk sure sounds like a
> > > big security hole to me.
> >
> > That's ridiculous.  If adding ifconfig to your users' PATH is a
> > security concern, your system is already at risk.
>
>
> But what happens in a corporate setting with more than 1 subnet, one 
> having a good firewall that only lets in filtered email, and one thats 
> relatively wide open, and both thru the same switch?  I don't think 
> you'd want a savvy user switching the machine from one subnet to the 
> other and allowing in a boatload of viri or porn.  The viri is a huge 
> PITA to clean up, the porn OTOH, is a huge legal liability in many 
> locales.

$ /sbin/ifconfig eth0 172.17.205.79
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied

That's what happens.

> IMO ifconfig is a system function, and the normal user has no need for 
> access to it, none, nada, zip.  As the admin, the admin should be 
> responsible for that, with those configs locked down for normal users.

It both displays and sets information. I see no need to conceal the
information it displays.

> Heck, I'm using two subnets here at home with only 3 machines, just for 
> that exact reason, seperation of responsibilities.  Call me paranoid, 
> but I intend to keep it that way.

Try actually changing a setting while not having root privilege.

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!