On Sat, 6 Jul 2002 18:14, Fraser Campbell wrote: > On Thu, 2002-07-04 at 22:57, Russell Coker wrote: > > Delegating administrative access to one tree of an LDAP directory is > > easy. Preventing it from being used maliciously is another issue. A > > hostile user could create a new LDAP entry with a UID of 0... > > But if you configure files lookups before db lookups the uid 0 entry in > LDAP or SQL would never be used right? Snippet from /etc/nsswitch.conf: > passwd: files mysql > shadow: files mysql > group: files mysql
In that case files will be used first for UID->name lookups, but for name->UID lookups if the name is != root then it'll still work. Try it! > > Restricting someone who has UID=0 in a chroot environment from taking > > over the rest of the machine is easy enough though... > > Yes, based on your talk today I guess you mean SE Linux. What about > user mode Linux, have you ever looked at it's potential use as a chroot > environment? UML is another option for results that can be similar in some situations. -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]