On Tue, Jun 19, 2001 at 12:35:51PM -0600, Hubert Chan wrote:
> >>>>> "Ethan" == Ethan Benson <[EMAIL PROTECTED]> writes:
>
> Ethan> passwd not being able to update /etc/shadow would be a very bad
> Ethan> thing since users would be unable to change thier own passwords.
> Ethan> users need to be encouraged to change thier passwords, not
> Ethan> discouraged.
>
> Off topic, but I'm just wondering if there has ever been any though to
> putting each user's information in a separate file. So if I had users
> "foo" and "bar", then I would have files /etc/passwd.d/foo and
> /etc/passwd.d/bar (or something like that), with /etc/passwd.d/foo only
> read/writable by user foo (and root), and /etc/passwd.d/bar only
> read/writable by user bar (and root).
um
GROSS!!!
sorry.
> This way, the login programs would still need to be SUID root (but I
> don't think there's any way around that, since they need to launch a
> shell under different UID's), but programs such as passwd would not,
> since user foo (and root) already have permissions to his password file.
echo 'eb::0:0:Ethan Benson:/home/eb:/bin/bash' > /etc/passwd.d/eb
login wheeeee r00t!
> The only problems I could think of is that it would eat up a chunk of
> inodes (but I don't know of anyone who's running short on inodes), and
> we'd have a lot of internal fragmentation in the filesystem (which
> shouldn't be too much of a problem, with disk space so cheap). If all
> the login programs use PAM, then creating such a scheme won't break any
> programs (hopefully).
it would be a nightmare to administer.
> Ethan> i don't think you can really modify passwd to be that granular
> Ethan> about ssh vs other methods of access.
>
> OK, back on topic... could you modify PAM? Do all login programs in
> Debian use PAM now?
i don't think its a matter of modifying things, its a matter of
detecting ssh vs other forms of access is really impossible. unless
you trust the utmp file maybe, even that doesn't really help.
when you have uid=0 you have uid=0 nothing cares where it came from,
it just is.
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
