On Sun, 26 Sep 1999, Or Sagi wrote:
> Take for example a university setting. You need to give students accounts,
> and you most certainly don't trust them ..
Had you known how much effort was being spent at HUJI while I worked there
to prevent students from compromising root - And how fruitless it was -
You wouldn't be convinced as you are that it is feasible. You have to have
a team of competent people just working around the clock to block every
possible security breach that's new in the OS applications.
What's needed is a different approach. Cut them off before they're born.
They need shell access? Why? If they need it for Real Work (tm), you're
probably screwed. If they just need access to choice number of
applications, build a restricted shell, or a menu interface (and make sure
the damn thing is secure.), and make it their login shell.
Give free reign to untrusted users on your machine and you're bound to get
reamed sooner or later.
Regards,
Nir.
--
Nir Soffer * [EMAIL PROTECTED] * http://www.cs.huji.ac.il/~scorpios/
"He MUST have known I would treat the request with as much urgency as
washing the wall behind the bathroom mirror, yet he chose to call me
instead of sending an email?" - Lars Balker Rasmussen, on ASR.
Mail me with subject 'get pgp key' for my PGP Public key.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
