Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 1 Jun 1996 08:37:23 -0700 (PDT)
From:      David Babler <dbabler@Rigel.orionsys.com>
To:        Sean Kelly <kelly@fsl.noaa.gov>
Cc:        questions@freebsd.org
Subject:   Re: Limiting access
Message-ID:  <Pine.BSF.3.91.960601083047.10398A-100000@Rigel.orionsys.com>
In-Reply-To: <199606011418.OAA26468@gatekeeper.fsl.noaa.gov>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Sat, 1 Jun 1996, Sean Kelly wrote:

> >>>>> "David" == David Babler <dbabler@Rigel.orionsys.com> writes:
> 
>     David> I assume the real problem would be if a user just deleted
>     David> the stock .rhosts in their directory and replaced it with
>     David> one of their own, thus making that a trusted system. I
>     David> believe if I change permissions so they can't delete the
>     David> file, I'm okay, yes?
> 
> Yes, but that would mean changing owners on users' home directories.
> To prevent users from removing the .rhosts file, you'd have to make
> sure they didn't own their own home directories.  And since they
> didn't own them, they couldn't create any new files or subdirectories
> unless you gave them appropriate permissions---and then they'd be able
> to remove and create a new .rhosts file.  (But some clever combination
> of owner, mode, and sticky bit might work.)
> 
> Probably the right answer is to use the /etc/login.access file.
> See login.access(5) and the sample, commented-out entries in
> /etc/login.access.
> 
Thanks for all the pointers... 

After poring through the man pages, the solution to keeping the user from 
being able to delete the .rhosts file is to set it so he doesn't own it 
and performing the command (as su):  chgflags schg .rhosts  which then 
makes the file immutable. I looked at /etc/login.access originally, and 
will probably use some form of that access as well - I have a lot of 
different user access levels. Mostly, I was trying to deal with the 
clever users who are always looking to get something for nothing <G>.

-Dave Babler

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960601083047.10398A-100000>