Greetings,... Am Samstag, 23. Oktober 2004 00:36 schrieb Michael Stone: > On Fri, Oct 22, 2004 at 11:13:55PM +0200, Jan Lühr wrote: > >Of course, providing security on that level is not the best way to ensure > > the system's integrity and safety. > >But why do you think, that security on filesystem level is doomed to > > failure if it's part of a security concept? > > Because you haven't described a practical approach for implementing > "allow all the users except lp to access mount" in a way which works for > naive system administrators.
What do you expect here? Of course there is a tradional unix approach (groups -ugly one I admit - and a more clean approach using posix acls). If defaults are setted in a senseful way, you can protect suid binaries from being used by the wrong users. What's wrong in that idea? As long as you grant right's - related to suid - on filesystem level, it's useful to restrict them on this level, too. Sudo is another approach, but sudo makes things even more complicated. Do you think, deleting all root-suid bits and using sudo i a better approach for naive admins? Keep smiling yanosz