-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Ethan" == Ethan Benson <[EMAIL PROTECTED]> writes:
Ethan> passwd not being able to update /etc/shadow would be a very bad
Ethan> thing since users would be unable to change thier own passwords.
Ethan> users need to be encouraged to change thier passwords, not
Ethan> discouraged.
Off topic, but I'm just wondering if there has ever been any though to
putting each user's information in a separate file. So if I had users
"foo" and "bar", then I would have files /etc/passwd.d/foo and
/etc/passwd.d/bar (or something like that), with /etc/passwd.d/foo only
read/writable by user foo (and root), and /etc/passwd.d/bar only
read/writable by user bar (and root).
This way, the login programs would still need to be SUID root (but I
don't think there's any way around that, since they need to launch a
shell under different UID's), but programs such as passwd would not,
since user foo (and root) already have permissions to his password file.
The only problems I could think of is that it would eat up a chunk of
inodes (but I don't know of anyone who's running short on inodes), and
we'd have a lot of internal fragmentation in the filesystem (which
shouldn't be too much of a problem, with disk space so cheap). If all
the login programs use PAM, then creating such a scheme won't break any
programs (hopefully).
Ethan> i don't think you can really modify passwd to be that granular
Ethan> about ssh vs other methods of access.
OK, back on topic... could you modify PAM? Do all login programs in
Debian use PAM now?
- --
Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/
PGP/GnuPG key: 1024D/71FDA37F
Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F
Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7L5tUZRhU33H9o38RArQPAKDBFyBb+6fiIMPGTHTk0o3OnaUX3ACeJsf0
Uyrk7f931paQ+Nuf76efyo4=
=6nTM
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]