Re: limitation of user a/c ( telnet service )

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-02-07 at 17:13 +1030, Tim wrote:
> edwardspl@xxxxxxxxxx:
> >> But when user "edward" login to the server by the telnet service, then he 
> >> can modify the dot file...
> 
> Sam Varshavchik:
> > 1) No, he can't.  Not if the file is owned by root, with no other 
> > permissions.
> 
> The user owns the directory, they can remove files and create new ones.
> You'd have to do more than change those file's ownership to root, and
> I'm still not sure whether that'd work in a user's homespace.
> 
> -- 
> (This box runs FC5, my others run FC4 & FC6, in case that's
>  important to the thread.)
> 
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
> 
My bad... I didn't realize that would happen.  I had used this on some
other OS some time ago and it did work as I stated.  I should have
checked it here first.  I created a test file, changed its mode to 755,
then sourced it and it did source correctly, but then I typed rm
filename and I got a prompt to let me remove a protected file and sure
enough the regular user could do that.  So in Linux, anyway, I am not
sure how you can affect the user individaully other than perhaps a group
policy.  This would seem to be a "loose end" in terms of control by the
admin.

	Another option might be from the "login" shell script to recreate the
files, but that still would not prevent the user from accessing the file
during the session and modifying it.  

	About the only other option would be a shell script that would run at
login in one of the system accounts such that it would run first.
Generally Unix, Solaris and some other OS's have an init script for
login that resides inside the root directories.  Some of these scripts
are called from the local shell or login script, but some shells have
scripts that are run outside the users control.  Perhaps someone with
more use time in Linux could give a better answer.

Regards,
Les H

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux