On Mon, Dec 27, 2010 at 11:32 PM, someone <[email protected]> wrote:
> Quoting drew wymore <[email protected]>: > > > On Mon, Dec 27, 2010 at 8:22 PM, Michael C. Robinson < > > [email protected]> wrote: > > > >> Standard on Linux is that root can read any file on the local file > >> system. Unfortunately, to get OpenDNS to update via ddclient, you > >> have to know the username and password of the account that needs > >> updating. Is it possible to connect a password to ddclient.conf > >> or better yet require entry of the password in the file before it > >> can be opened? Basically, what I am interested in is password > >> protecting a single file and requiring that even the super user > >> enter that password to access it, unless the super user wants to > >> delete it. This way, in a sense, there can be more than one superuser > >> and it becomes possible to delegate maintenance of OpenDNS for example > >> to someone else. > >> > >> Frankly, I think it is stupid that you can't ask the OpenDNS servers > >> to update an account without logging in to that account, hint hint. > >> OpenDNS should be asking for the host name assigned to ones dynamic ip > >> address instead of the current ip anyways. > >> > >> _______________________________________________ > >> PLUG mailing list > >> [email protected] > >> http://lists.pdxlinux.org/mailman/listinfo/plug > >> > > > > That's the whole idea behind sudo. > > No, sudo does not keep root from accessing a file without entering > another password. The feature I am talking about would establish a > second superuser that is higher than the standard superuser for one > specific file. The exception would be deletion, the ordinary > superuser should be allowed to > delete the uniquely protected file. The root account on a standard > Linux system, especially when selinux is disabled, can manipulate any > file. > > As far as the comment that a login has to be required by OpenDNS to > protect the system, if the system tracked the host name registered with say > dyndns.org, logging in to achieve an update would be completely > unnecessary. > > An alternative approach is to modify ddclient so that it saves the password > in salted form instead of unencrypted in a text file. This way, the > password > has to be unsalted by a random person for that person to know it. > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > I can understand the request but you could in theory lock root down or create a user who has root like privileges using sudo instead of manipulating the system with root itself. It is an interesting topic nonetheless. Drew- _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
