Al Sparks wrote: > > I tried to execute > ifconfig eth0 down > on my system as non-root, and got permission denied. > > If you're going to restrict access to the commands in /sbin, you > should also change the permissions on the /sbin directory so > unauthorized personnel can't reach it. As things stand now, you > simply have security through obscurity, since users can change their > own $PATH. > > Actually, if you're going to restrict users, you default their shell > to /bin/rbash, set their $PATH to a small amount of directories, and > make their .bashrc and .bash_profiles inaccessible. > === Al > What happens if you run "/sbin/ifconfig eth0" instead of "/sbin/ifconfig eth0 down"? Is the permission denied message about running ifconfig or about trying to bring down eth0? There are times when the information presented by ifconfig is useful to a normal user, even though you can not change the settings. One thing I think you are missing is that keeping these commands off a normal user's path is not really a security measure. It is more a matter of keeping them out of the way of people that would not normally need access to them. Chances are, they are not going to stumble across them by accident, but they are there if you do need to use them. The security is that most actions by the commands require root permissions. The information function of the commands still works for normal users. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
