Xref: utzoo alt.security:1558 alt.bbs:2950 comp.unix.sysv386:434 Path: utzoo!attcan!utgpu!cs.utexas.edu!uunet!mcsun!ukc!slxsys!ibmpcug!dylan From: dylan@ibmpcug.co.uk (Matthew Farwell) Newsgroups: alt.security,alt.bbs,comp.unix.sysv386 Subject: Re: Protecting against downloads Message-ID: <1990Sep15.105649.4953@ibmpcug.co.uk> Date: 15 Sep 90 10:56:49 GMT References: <8RFgP2w163w@mudos.ann-arbor.mi.us> Reply-To: dylan@ibmpcug.CO.UK (Matthew Farwell) Organization: The IBM PC User Group, UK. Lines: 32 In article epeterson@encore.com writes: >mju@mudos.ann-arbor.mi.us (Marc Unangst) writes: >Aha! I see your point. An even less healthy idea than before. >However, if you were willing to take the time to do it, perhaps you >could set up a branch of your file system to be a limited subset of >your primary file system, with hard links from the subsystem into the >main system for programs that users would need access to (sh, csh, cc, >etc.). If you also linked in /etc/passwd, /etc/group, and so forth, >you'd be set to present a limited subset of your main hierarchy. > >There's only two things wrong with doing this -- (1) it may take more >time and effort than it's worth, and (2) it still doesn't solve the >original problem. Actually 2+1/2. Don't link /etc/passwd to /etc/passwd. Maintain a separate copy of the passwd file in the chroot dir, with passwds starred out. Its easy enuf to do. Just have a script something like:- awk -F: '{ OFS=":" ; print $1,"*",$3,$4,$5,$6,$7 }' /etc/passwd > whatever (forgive me if my awk isn't up to scratch) Only problem I can see with this approach is that the user can't (easily) change his/her/its password. All depends on the time + effort you want to put into security. Dylan. -- Matthew J Farwell | Email: dylan@ibmpcug.co.uk The IBM PC User Group, PO Box 360,| dylan%ibmpcug.CO.UK@ukc Harrow HA1 4LQ England | ...!uunet!ukc!ibmpcug.co.uk!dylan Phone: +44 81-863-1191 | Sun? Don't they make coffee machines?