Date: Wed, 2 Jun 1999 10:20:56 -0400 (EDT) From: Jim Sander <jim@federation.addy.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system Message-ID: <Pine.BSF.3.95q.990602100105.9414C-100000@federation.addy.com> In-Reply-To: <19990602054724.12309.qmail@ewok.creative.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> The worst thing in the world you can ever do is allow users to compile/run > their own binaries. If a user wants something installed, then I'll damn > well compile it and install it for *all* to use. Um, I'd have to disagree there. Assuming you're talking about non-root level users of course. The big problem is of course scaling. If you have 10 users, it's easy. When you have 1000, spread out over a dozen servers it becomes challenging to administer. Everyone wants something different, and it's usually incompatible with what someone else wants. It takes time and effort that could be better spent securing your system in other ways. Then try upgrading anything and you'll be screwed even worse! If they're compiling as a "normal" user, they should/are restricted from potentially dangerous operations. Nothing is perfect, but if you're that paranoid you should not have any users on the system at all. Plus, there's almost nothing you can do with a compiler that can't also be done with Perl anyway. (surely you let users have Perl!) The name of the game of course is to be better, faster, and more attentive to detail than anyone on your systems who would seek to do something they shouldn't. You can't do that if you're installing strange things for one user or doing updates every time a bug in <x> is found. Just my opinion of course... -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.990602100105.9414C-100000>