At 08:43 AM 3/17/99 -0600, Jeff Hayward wrote:
>On Tue, 16 Mar 1999, Adam D. McKenna wrote:
>
> # groupadd shellusr
> # vi /etc/group
> # chown root.shellusr /bin/csh
> [...]
>
> etc.. Of course you need to be careful when doing this and make sure
every
> user that could possibly need shell access is included (including any
users
> that have cron jobs running under their UID).. etc.. but this is
possible
> without modifying qmail (and taking out a very important feature).
>
>This may work but remember that qmail-lspawn does not set up any
>supplemental groups before running qmail-local, so you'd have to
>rely on the user's primary group to give them "|" capability in
>.qmail files.
As usual Jeff makes a very good point. I'd like to look at the obverse
side though. That the .qmail shell is invoked without supplemental groups
means that you can use supplemental groups to allow that user different
access when they access the system via means other than local delivery.
One way? When users are created, their primary group is used to provide the
most minimal file system access (which of course includes executables) that
any user is allowed in any form and they are added to supplemental groups
for access by other means, such as SMB, ftp, login, etc.
Regards.
