[ale] Access Control Challenge
Yu, Jerry
Jerry.Yu at Voicecom.com
Tue May 25 10:21:22 EDT 2004
if only root can change password, remove the SUID bit on /usr/bin/passwd
Or, only allow root and a special group to have access to the original SUID
/usr/bin/passwd
for fun, change DBA's password to 2048 random bytes or longer. the pam_md5
module should be able to handle that...
-----Original Message-----
From: Danny Cox [mailto:danscox at mindspring.com]
Sent: Monday, May 24, 2004 5:32 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Access Control Challenge
Thomas,
On Sun, 2004-05-23 at 01:17, Thomas Wood wrote:
> Has
> anyone else found a more elegant solution? I'd really like to keep my
> DBAs in the loop, password-wise, but they don't need the password and I
> think I can prevent them from changing it.
>
> Any thoughts? And no, tcp wrappers doesn't let you filter by username.
> Oh that it did. Also, I'm trying to avoid installing a firewall on my
> DB, so please, no filter rulesets.
Will passwd -l (see man 1 passwd) do? It "locks" the account, only
allowing root to gain access. It may close the door too much, though.
--
kernel, n.: A part of an operating system that preserves the
medieval traditions of sorcery and black art.
Danny
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list