Re: Debian for kids

[Ethan Benson <erbenson@alaska.net>]

On Wed, Feb 02, 2000 at 11:44:30PM -0500, Alex Dukat wrote:
> 
> 
> On Wed, 2 Feb 2000, Ethan Benson wrote:
> 
> > auth       requisite	 pam_listfile.so item=user sense=deny \
> > 	file=/etc/deny.passwd onerr=succeed
> > 
> > to the begining /etc/pam.d/passwd, and add any users who can't seem to
> > use passwd command right to /etc/deny.passwd (or whatever).  multiuser
> > compatible!
> 
> As a start to kid proofing a machine, one could remove world permissions
> on all potentially dangerous commands, passwd, chmod, chown, etc.  Then
> use sudo to return permission to those who are responsible.

well chown can only be used by root, so its not a problem, chmod can
only affect there own files, but it could create a temporary problem i
suppose.. (chmod -R 0 .) passwd like i said need not have its
permissions changed since access can be better controlled through use
of PAM.

using sudo to give the permissions back is not a good idea however,
chmod for example does not run as root, its not suid, allowing someone
to use sudo with chmod allows them to run it as root and change
permissions on anything.  a better option for chmod would have to be
using a special group and changing its permissions to 750.  (though if
they really wanted it back they can download and compile chmod from
source.

-- 
Ethan Benson