theoretical question - can root's username be changed?
mike.mccarty at sbcglobal.net
Fri Dec 2 21:22:16 UTC 2005
Les Mikesell wrote:
> On Fri, 2005-12-02 at 14:14, Mike McCarty wrote:
>>One cannot configure sudo such that one can "vi /etc/one_special_file"
>>but not "vi /etc/another_special_file".
> But you can rather easily have a replace_special_file program that
> only specified users can run and that does nothing else. Vi permits
> shell escapes and thus like many unix programs, includes the
> capabilities of all other programs so it's not something you would
> want to permit a user to do as root even if you could control the
> initial file loaded.
But I was addressing the issue of the security model, not whether
something can be done with a specially designed work-around, nor
whether vi had some security holes.
ACL, for example, does exactly what I described, no workaround,
no special program, no extra scripts.
Everything has its strengths and weaknesses. ACL has its own
weaknesses, one of which is that it can be a burden to
non technical users. It's more complex to set up.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list