> > What would be the best way to enable her to run the shutdown command, without > creating a giant security hole which might bite me in the @*% should this > machine ever become a gateway? My thoughts up to this point: > > 1) Creating a group consisting of my wife and myself, and doing a setuid and > chmod 710 on the shutdown command itself, and changing group ownership to the > group with me and her in it. > Not a bad idea - though anyone who can crack into the system *could* gain access to this one commend.
> 2) Creating a group consisting of my wife and myself, and writing a script > which executes the shutdown command, then setting the ownership for the script > to root, group ownership on the script to our group, and doing a setuid on > just > the script. > Linux doesn't support suid on scripts - it's *that* big of a security hole! A wrapper program would be more like it. > It seems to me that the second option is the best as I don't have to monkey > around with the permissions on the command. Is the second any more of a > security concern than the first, or, as I assume, less? Say my wife's user > password is ridiculously easy to guess; do these give the same amount of > system access to the person who cracks into her account? > > Does anyone know of a better way to do this? > Yes! Try using sudo or super. They allow ordinary users to have access to specific system level programs without monkeying around with permissions. I've used sudo for a long time and am happy with the access it allows. Super may be even easier to use, I'm not sure. Another way that I've seen systems handle this - not advocating it - just mentioning... is to have a shutdown user (w/ a password of course) that runs the shutdown command upon login. If this user has root equivalent authority (the SCO systems I've seen with this are user=0, group=0... shudder...) then just logging in will bring the system down. It's an option - not a very good one, but an option. Chuck -- Chuck Stickelman, Owner E-Mail: <[EMAIL PROTECTED]> Practical Network Design Voice: (419) 529-3841 9 Chambers Road FAX: (419) 529-3625 Mansfield, OH 44906-1302 USA -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
