On Thu, Mar 16, 2000 at 07:47:47PM +0100, Niels M�ller wrote: > Norbert Nemec <[EMAIL PROTECTED]> writes: > > > Great, that's the piece of information I was waiting for! Actually I do not > > know any reason, why the login-shell was introduced at all! Why would you > > allow any non-logged in user to execute any command but "login"? > > Perhaps I (an ordinary user) would like to share some files in my home > directory with the rest of the world? With the not-logged-in user > concept, I can set the permissions appropriately, and anyone who wants > the files can use the not-logged-in shell and get them. The > alternative would be to set up something like a webserver, which is > massive overkill and less convenient.
Make the files world-readable and have a anonymous guest-account on your system - alas, you have exactly the same effect. Of course it is up to the sysad, whether he wants to allow that. Just like a hurd-sysad may or may not allow non-logged-in shell access. > > Any user who has an account can simply log in and do whatever he > > wants to do afterwards, and people who do not have accounts should > > not be allowed to do anything! In case you really need anonymous > > access, you can simply introduce a "guest" account on your machine, > > just as it is done on many Linux machines already. > > I don't follow you here. On Unix, you can't have a not-logged-in user, > and you can choose whether or not to install a guest account. On HURD, > you have the not-logged-in user, and you can choose whether or not to > give that user shell access. In which way is the Unix way better? > > I believe the HURD way even has a few advantages: > > On Unix, to treat the guest specially (for instance, denying > read-access to /etc/passwd), you would have to create a special group > that all users except the guest user are members of, and I believe it > will be quite messy to set up correctly. On HURD, you can simply set > the appropriate bits, e.g. on /etc/passwd, to deny read access for > guests. OK, there is the alternative between introducing a more complex group system or setting a forth set of permission bits correctly for the whole system. The non-logged-in permissions will have to be set by the package maintainers, but if we really need that functionality offered by the default Debian system, we could just as well make a more complex group system part of the policy. > Because a guest account is an ordinary user account, as far as the OS > is concenrned, the guest has an entry in /etc/passwd. By default, a > user is allowed to change his or her passwd entry. You have to somehow > disable this for the special guest user, otherwise, anyone logged in > as guest could change the passwd or login shell on the guest account, > causing trouble for other guests. Using shadow passwords you already have that functionality. > > For that reason, my suggestion would be, to drop the whole idea about the > > login shell, and by that drop all the effort about the fourth permission > > set! > > (Just think how long it will take, until all the tools are modified to > > support that feature!) > > I don't think it's that dificult. As far as I know, you need to modify > chmod and ls and perhaps some other programs in the fileutils package. > And you need to modify base packages with sensible defaults for the > new bit. Am I missing something? Yes: you will need to patch about every file manager that exists out there that handles permissions in any way. mc, kfm, emacs, git, probably tons quite a list of other programs. The question is not whether the concept of the non-logged-in user has any drawbacks - it simply is quite an overkill for something that can be handled by the existing user/group system just as well, a lot easier and much more flexible and compatible. Ciao, Nobbi -- -- ______________________________________________________ -- JESUS CHRIST IS LORD! -- To Him, even that machine here has to obey... -- -- _________________________________Norbert "Nobbi" Nemec -- Hindenburgstr. 44 ... D-91054 Erlangen ... Germany -- eMail: <[EMAIL PROTECTED]> Tel: +49-(0)-9131-204180
