On Jan 6, 2008 8:34 PM, Carlo Calica <[EMAIL PROTECTED]> wrote: > > > So what would happen in the above cron when using a uid/gid belonging > > > to someone else. > > > > I think it would just work, as the uid/gid "was there". > > Yeah it should work. May introduce a vulnerability through the shared > uid/gid. it would be horrible if cron shared ids with apache. I'd > recommend a policy where fixed ids like that start at 99 and work down > (avoid ISO shipped 0+, and dynamic 100-999). May need to patch > sources, but really the only secure choice. Am I being paranoid?
That makes sense. Since there's no "well known ids" (except for the super-user), I think that's fair. I've just made that change to the patch. > a nonsystem keyword for required_users? > > echo "$entry" | grep -q " nonsystem" && unset uid > > inserted appropriately should work. I think it's better to disallow that. Normal user accounts shouldn't be created automatically, IMO. Can you think of some case where that would be necessary? The new patch finds attached. More comments? -- Lucas powered by /dev/dsp
Scripts-Requirements.patch
Description: Binary data
_______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
