Date: Wed, 22 Mar 2017 13:18:37 +0000 From: Jamie Landeg-Jones <jamie@dyslexicfish.net> To: freebsd-hackers@freebsd.org, chris@sinjakli.co.uk Subject: Re: A historical curiosity in su(1) Message-ID: <201703221318.v2MDIboh037111@dyslexicfish.net> In-Reply-To: <CAN-H%2BybmipbPq59HGVsfouS_8v-ezDbU%2B4PKtiTwj3tv-LjOyw@mail.gmail.com> References: <CAN-H%2BybmipbPq59HGVsfouS_8v-ezDbU%2B4PKtiTwj3tv-LjOyw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Sinjakli <chris@sinjakli.co.uk> wrote: > The thing I'm curious about is why it goes to the trouble of trying to use the > result of getpwnam/getlogin at all. The only time it will return something > different from getpwuid/getuid is if there are two users with the same uid but > different information in the rest of their passwd entry. > > Are there cases where you might want to set up a system this way? I've always > avoided assigning the same uid to multiple users - it seems like a bad idea! I do this. I use a number of different mailboxes for different lists etc. each coresponding email address is mapped to a unique unix username (hence, a unique unix-mail user) So, a few different mailboxes in /var/mail - nothing unusual so far. These additional users are only used for the email processing, and only by me, so to avoid having to play around with file permissions etc., all of them use the same uid/gid as my main user. As long as the main user appears first in the passwd and group files, it seems to not cause any problems. Another use I once had: A non-privileged user needed both interactive and ftp access. I only allow ssh for interactive use, but he was unable to use scp/sftp Only having ssh interactive, but allowing clear-text passwords for ftp, would defeat the security purpose, so, I created one ftp-only account (blocked from access in ssh config) and one ssh-only account (blocked from ftp access with a special default shell, and also configuration in /etc/ftpusers, if I recall.) I ensured both used different passwords, but gave both the same uid/gid so that there wouldn't be permission problems with ftp vs interactive files. (Yes, I know anyone who knew the ftp password could maybe ftp some trojan in, but that was beyond the scope here.) TL: DR: One account, but different passwords and login 'shells' Cheers! Jamie.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201703221318.v2MDIboh037111>