Loki wrote:
That's not a stnadard tool. If I can use adduser or useradd via sude I can create a user with UID=0. If I can use passwd to change passwords I can change root's password.-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 20 Aug 2004, John Summerfield wrote:
A user who can create users can do anything.
Er, not true.
A user who can sudo vi /etc/passwd can do anything. However, a user who
can sudo /usr/local/bin/dedicated-user-creation-script cannot.
There _are_ safety measures one can take, of course, but to appreciate the need you need to know the risk.
A user who can install software can do anything.
Mostly true.
A user who can do restores can do anything.
Not true. Yes, if you can sudo tar, you can do anything. But once again,
sudo /usr/local/bin/dedicated-restore-script can't.
Again, I'l talking about standard tools.
Sometimes, /usr/local/bin/dedicated-restore-script won't let me restore what I need if it prevents me from restoring anything.
A user who can do backups can make off with a copy of your secrets:-)
Bah, who keeps secrets on unencrypted hard drives anyway? :)
Lotsa people:-)
--
Cheers John
-- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
