That's true, I hadn't thought of that. Actually it's the disabling of
user shell access that brings that security. But has nothing to do with
using db, nsswitch. So the real advantage is distribution (as Fraser
wrote) and not security. Sorry Rod, I must have been a bit confused
yesterday..
Michael
Michael Loftis wrote:
local means 'can get shell and/or otherwise get machine to execute
stuff we want to execute'
has nothing to do with /etc/passwd, ldap, nis, mysql, or anything.
all they need is a hole that allows them to execute something.
--On Wednesday, March 24, 2004 17:48 +0000 mimo <[EMAIL PROTECTED]> wrote:
Maybe I'm off topic. WHere do you keep your user accounts at the moment?
are they all local users?
Most exploits and vulnerabilities are local -- they only apply to your
machine if you have (other) local users. So it's more secure to have
"virtual" users via nsswitch / pam /etc and some db (ldap, mysql
preferably).
There are more reasons - but this is the most compelling one I think.
Michael Moritz
Rod Rodolico wrote:
ok, this is a basic question. I am a small IPP (60 domains, 200 users)
and I see a lot of stuff about ldap. I searched the web and got some
basic info on what it does, but the big question is, how would it be
helpful to me? I also run MySQL services, but mainly the server does
smtp, imap, pop, http and dns (exim, courier, apache and bind). One
box,
200 users, is there any reason I should consider dns?
BTW, I also maintain three other web servers for people and use them
all
as backup servers (using rsync) for each other, but I guess that is not
part of the issue here.
Thanks,
Rod
--
Please note that this account is being filtered using anti UCE systems.
If you send email to this account make sure that it could not be
mistaken
as UCE.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
--
Michael Loftis
Modwest Sr. Systems Administrator
Powerful, Affordable Web Hosting
GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
--
Please note that this account is being filtered using anti UCE systems. If you
send email to this account make sure that it could not be mistaken as UCE.
