-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Ethan" == Ethan Benson <[EMAIL PROTECTED]> writes:
Ethan> passwd not being able to update /etc/shadow would be a very bad Ethan> thing since users would be unable to change thier own passwords. Ethan> users need to be encouraged to change thier passwords, not Ethan> discouraged. Off topic, but I'm just wondering if there has ever been any though to putting each user's information in a separate file. So if I had users "foo" and "bar", then I would have files /etc/passwd.d/foo and /etc/passwd.d/bar (or something like that), with /etc/passwd.d/foo only read/writable by user foo (and root), and /etc/passwd.d/bar only read/writable by user bar (and root). This way, the login programs would still need to be SUID root (but I don't think there's any way around that, since they need to launch a shell under different UID's), but programs such as passwd would not, since user foo (and root) already have permissions to his password file. The only problems I could think of is that it would eat up a chunk of inodes (but I don't know of anyone who's running short on inodes), and we'd have a lot of internal fragmentation in the filesystem (which shouldn't be too much of a problem, with disk space so cheap). If all the login programs use PAM, then creating such a scheme won't break any programs (hopefully). Ethan> i don't think you can really modify passwd to be that granular Ethan> about ssh vs other methods of access. OK, back on topic... could you modify PAM? Do all login programs in Debian use PAM now? - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7L5tUZRhU33H9o38RArQPAKDBFyBb+6fiIMPGTHTk0o3OnaUX3ACeJsf0 Uyrk7f931paQ+Nuf76efyo4= =6nTM -----END PGP SIGNATURE-----
