Hi, On 12/5/07, Nyizsnyik Ferenc <[EMAIL PROTECTED]> wrote: > On Wed, 5 Dec 2007 16:58:59 +0100 > "Martin Marcher" <[EMAIL PROTECTED]> wrote: > > /bin root:users rwxr-x--- > > /sbin root:adm rwxr-x--- > > /usr/bin root:users rwxr-x--- > > /usr/sbin root:adm rwxr-x--- > > I do get your idea, but have a look at /bin! You will find some very > important stuff there, like bash, login and cat, but many more, that > every user should be able to use.
If a user and or group needs to be able to access stuff from a directory the admin should explicitely allow access. Not rely on that users can do so anyway.... > I also get that you want to enable every user by adding r-x rights to > the users group, but there are a few "users" that are not members of > the users group, such as www-data (Apache's "user") and postgres. They > also need those binaries. While that is true I still think that the added administrational overhead (again: explicit is better then implicit) from man setfacl setfacl -m g:www-data:rx /bin wouldn't that work too? > > and so on. Using acl's it would be very easy to add even more groups. > > I think the explicit adding of others would make a lot of sense and > > secure the system in a standard way. > > I guess it's more a historical reason that others can r+x most of the > > system but I can see a lot of benefits in denying others by default > > (of course there's a lot of work involved to migrate from the current > > permission schema that's at least a serious drawback) -- http://noneisyours.marcher.name http://feeds.feedburner.com/NoneIsYours -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
