Re: Debian for kids
Looks like I was too late. After sending the email I realized what I
said. It was an original thought before discarding because the commands
are not run as root. I agree with the using special groups for some of
the commands. I should also not post late at night after a long day.
Alex
On Wed, 2 Feb 2000, Ethan Benson wrote:
> On Wed, Feb 02, 2000 at 11:44:30PM -0500, Alex Dukat wrote:
> >
> >
> > On Wed, 2 Feb 2000, Ethan Benson wrote:
> >
> > > auth requisite pam_listfile.so item=user sense=deny \
> > > file=/etc/deny.passwd onerr=succeed
> > >
> > > to the begining /etc/pam.d/passwd, and add any users who can't seem to
> > > use passwd command right to /etc/deny.passwd (or whatever). multiuser
> > > compatible!
> >
> > As a start to kid proofing a machine, one could remove world permissions
> > on all potentially dangerous commands, passwd, chmod, chown, etc. Then
> > use sudo to return permission to those who are responsible.
>
> well chown can only be used by root, so its not a problem, chmod can
> only affect there own files, but it could create a temporary problem i
> suppose.. (chmod -R 0 .) passwd like i said need not have its
> permissions changed since access can be better controlled through use
> of PAM.
>
> using sudo to give the permissions back is not a good idea however,
> chmod for example does not run as root, its not suid, allowing someone
> to use sudo with chmod allows them to run it as root and change
> permissions on anything. a better option for chmod would have to be
> using a special group and changing its permissions to 750. (though if
> they really wanted it back they can download and compile chmod from
> source.
>
> --
> Ethan Benson
>
Reply to: