On Fri, Jun 01, 2001 at 10:25:24PM +0200, Tomasz Olszewski wrote: > OK, I mentioned both startx and xinit but when I was talking about > ignoring the global xinitrc I reffered to xinit (because startx was > already not a problem).
Oh ok. P.S. if you do modify the startx script it will be over-written on upgrades as I mentioned in another message, or, you can use dpkg-divert as another poster has suggested. > Who will guarantee that the an user will use an alias ;)? Right -- but then we come back to the part about "what is preventing them from opening any tcp port.. or running X directly.. etc.." :) Fwiw, stateful filtering (don't allow anything in that is not part of an outbound connection), or filtering out syn packets (ipchains with -y), or using a restricted shell with a wisely-chosen and prepared $PATH would get you out of this bind. Or all of the above. ;)
