Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Apr 2000 22:02:15 -0400 (EDT)
From:      Spidey <beaupran@iro.umontreal.ca>
To:        Brooks Davis <brooks@one-eyed-alien.net>
Cc:        bugs@freebsd.org
Subject:   Re: bin/17910: Do not allow 'operators' to drop to single user via shutdown
Message-ID:  <14578.34727.921383.875698@anarcat.dyndns.org>
In-Reply-To: <20000410174843.A6634@orion.ac.hmc.edu>
References:  <20000410205113.4E0C219BC@anarcat.dyndns.org> <20000410142640.A16425@orion.ac.hmc.edu> <14578.29173.529447.273595@anarcat.dyndns.org> <20000410174843.A6634@orion.ac.hmc.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
I'm happy with the solution. I just don't know how to "ask that the PR
be closed". I just send another PR? Or do I write to
FBSD-gnats-whatever?

Yes, I though about the problems of having "operator" users... But my
users are unlikely to be so wise, for now.. The shutdown thing was too
obvious. A simple typo gave single-user mode in my setup (my console is
"secure"). 

What "code" in TrustedBSD will change that?

Thanks again

--- At 17:48 of April 10, Big Brother made Brooks Davis write:
> On Mon, Apr 10, 2000 at 08:29:41PM -0400, Spidey wrote:
> > Oh. The system asks the root password on single-user shutdown when the
> > console is marked as insecure? That is great. I think it solves it all.
> 
> >From /etc/ttys:
> 
> # If console is marked "insecure", then init will ask for the root password
> # when going to single-user mode.
> 
> You do that by removing the secure flag.
> 
> If you're happy with this solution, please reply and ask that the PR be
> closed (I can't do it.)
> 
> > I found it weird that this was all wide open like that. :))
> 
> Giving out operator perms is probalby not the best idea.  If nothing
> else, a user in group operator can read any file on the system if they
> are willing to take the time to do it.  Hopefully some of these problems
> will be lessened by the capabilities code from the TrustedBSD project
> (http://www.TrustedBSD.org/).  For now, if you need to give out operator
> perms, you'll have to expect to close related holes yourself.
> 
> -- Brooks
> 
> -- 
> Any statement of the form "X is the one, true Y" is FALSE.

-- 
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir

Lofofora


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14578.34727.921383.875698>