theoretical question - can root's username be changed?

Mike McCarty mike.mccarty at sbcglobal.net
Fri Dec 2 21:22:16 UTC 2005


Les Mikesell wrote:
> On Fri, 2005-12-02 at 14:14, Mike McCarty wrote:
> 
> 
>>One cannot configure sudo such that one can "vi /etc/one_special_file"
>>but not "vi /etc/another_special_file".
> 
> 
> But you can rather easily have a replace_special_file program that
> only specified users can run and that does nothing else.  Vi permits
> shell escapes and thus like many unix programs, includes the
> capabilities of all other programs so it's not something you would
> want to permit a user to do as root even if you could control the
> initial file loaded.
> 

But I was addressing the issue of the security model, not whether
something can be done with a specially designed work-around, nor
whether vi had some security holes.

ACL, for example, does exactly what I described, no workaround,
no special program, no extra scripts.

Everything has its strengths and weaknesses. ACL has its own
weaknesses, one of which is that it can be a burden to
non technical users. It's more complex to set up.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!




More information about the fedora-list mailing list