On Thu, Jun 06, 2002 at 09:24:35AM +0200, Niels M�ller wrote: > There are four more bits than the traditional rwxrwxrwx. And you want > to do is modify those bits on /etc/passwd to say (i) processes that > have no uid:s at all are not included in "others", and (ii) such > processes are not allowed to access /etc/passwd.
You achieve this by setting bit S_IUSEUNK: /* If the S_IUSEUNK bit is set, then the S_IUNKNOWN bits (see below) control access for unknown users. If S_IUSEUNK is clear, then unknown users are treated as "others" for purposes of access control. */ #define S_IUSEUNK 000000400000 and clearing the bits in S_IUNKNOWN: /* Mask of protection bits for unknown users (no effective IDs at all). */ #define S_IUNKNOWN 000007000000 > But it's harder than it sounds, because chmod doesn't yet know about > those bits. There have been some patches on the hurd-bugs mailing list. But chmod knows about octal numbers! ;) So you can actually just calculate the right octal number and pass it to chmod on the command line, IIRC. Something like # chmod 0400644 /etc/passwd should do the job (untested!). > Also the default for the bit that decides whether or not no-uid > processes are included in "others" isn't really decided yet. Yep, that's still open. The current behaviour is documented above. > And at last, if you have the login shell only on the console (that's > the default behavior, iirc), Unfortunately not. I didn't bother to figure out yet which place I have to change to make it use /bin/loginpr on incoming connections, rather that /bin/login. Or should we swap the programs and configure the local console to use something different than /bin/login? Someone please send a patch! :) Thanks, Marcus -- `Rhubarb is no Egyptian god.' Debian http://www.debian.org [EMAIL PROTECTED] Marcus Brinkmann GNU http://www.gnu.org [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.marcus-brinkmann.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
