Quoting drew wymore <[email protected]>: > On Mon, Dec 27, 2010 at 8:22 PM, Michael C. Robinson < > [email protected]> wrote: > >> Standard on Linux is that root can read any file on the local file >> system. Unfortunately, to get OpenDNS to update via ddclient, you >> have to know the username and password of the account that needs >> updating. Is it possible to connect a password to ddclient.conf >> or better yet require entry of the password in the file before it >> can be opened? Basically, what I am interested in is password >> protecting a single file and requiring that even the super user >> enter that password to access it, unless the super user wants to >> delete it. This way, in a sense, there can be more than one superuser >> and it becomes possible to delegate maintenance of OpenDNS for example >> to someone else. >> >> Frankly, I think it is stupid that you can't ask the OpenDNS servers >> to update an account without logging in to that account, hint hint. >> OpenDNS should be asking for the host name assigned to ones dynamic ip >> address instead of the current ip anyways. >> >> _______________________________________________ >> PLUG mailing list >> [email protected] >> http://lists.pdxlinux.org/mailman/listinfo/plug >> > > That's the whole idea behind sudo.
No, sudo does not keep root from accessing a file without entering another password. The feature I am talking about would establish a second superuser that is higher than the standard superuser for one specific file. The exception would be deletion, the ordinary superuser should be allowed to delete the uniquely protected file. The root account on a standard Linux system, especially when selinux is disabled, can manipulate any file. As far as the comment that a login has to be required by OpenDNS to protect the system, if the system tracked the host name registered with say dyndns.org, logging in to achieve an update would be completely unnecessary. An alternative approach is to modify ddclient so that it saves the password in salted form instead of unencrypted in a text file. This way, the password has to be unsalted by a random person for that person to know it. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
