On Mon, 2003-12-01 at 13:49, John Smith wrote: > thanks for your remarks, they answer most of my questions, > as did a thorough grep session on debian-policy, (thanks Paul). What > I'm bothered with is that convenience takes precedence over security > in this case. The example of an [evil/compromised] application > manager with write access to one of the /local directories, who > inserts a trojan named passwd is probably obvious to all. <Asbestos> > Two other os-es that I'm thoroughly familiar with, Netware and > Windows, insert for this exact reason the system paths before the > local paths. </Asbestos>
Hmm, being that windows always puts . first in the path, I would ignore any other path-related "security features" they put into place. The real answer to your question is: don't put users you don't trust in the staff group... seems pretty simple. As for login.defs: (from the manpage) "Much of the functionality that used to be provided by the shadow passâword suite is now handled by PAM. Thus, /etc/login.defs is no longer used by programs such as login(1), passwd(1) and su(1). Please refer to the corresponding PAM configuration files instead." -- Mark Roach -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
