-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Stefan" == Stefan Srdic <[EMAIL PROTECTED]> writes:
Stefan> So far, I've successfully configure pam_smbpass.so to sync UNIX Stefan> and SAMBA passwords for my networked users. However, I was as Stefan> successfull in configuring pam_tmpdir.so to restrict user and Stefan> program access to the /tmp directory. (I'm assuming you're missing a "not" in that last sentence?) pam_tmpdir doesn't restrict user access to /tmp. Rather, it creates a directory called /tmp/user/[uid], where [uid] is the user number, and sets $TMPDIR and $TMP to /tmp/user/[uid]. /tmp/user is only read/writable by root (but executable by anyone, so you can get to your temporary directory), and /tmp/user/[uid] is only read/write/executable by that user. Programs should then use /tmp/user/[uid] to store temporary files. Unfortunately, some programs are hard-coded to use /tmp instead of checking the $TMPDIR and $TMP variables (and some programs probably have good reason to use /tmp, too). It seems like the main reason for pam_tmpdir is to prevent symlink attacks, and it's also useful for preventing people from snooping around in your temporary files. But it is not meant to control access to /tmp. - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7SOA4ZRhU33H9o38RAtJAAKCr4zvDIuKAzV8XjpIPVvOX0pGtXwCcCCx/ KlxwCc8xt5X5MO8BEnZVEYQ= =iJ2u -----END PGP SIGNATURE-----
