An option (not so much for init, but for users running aps
as root etc) is sudo
A nice app brought to us from openbsd i believe, and much needed.
Dean
Scott Howard wrote:
>
> On Thu, Oct 19, 2000 at 10:53:05AM +1100, Jill Rowling wrote:
> > What method do people prefer when wanting a program to run as a particular
> > user?
> > Examples:
> > At startup time, in init.d I might want to run a script as user
> > "blah"
>
> At startup you should _always_ use su. There is no reason to use setuid
> and it's just likely to introduce security holes.
>
> > Or I want to run a program as user "blah" where "blah" has less
> > privileges than my normal user account.
>
> The problem with using setuid for programs which aren't built for it is
> that you often introduce security holes of some form.
>
> > (Thinks of easily broken things like X and Netscape, hehe)
>
> eg, if you setuid Netscape, then it's going to be fairly trivial for
> someone else to get access to that account - simply because Netscape isn't
> written to be setuid.
> If you must use setuid, try and use some method to make sure that nobody
> who doesn't need to can run the program. eg, if you're on a single user
> home machine there might be no need to do anything, otherwise you might
> need to play with groups to make it so that only certain people can run
> that binary.
>
> > Which is preferable?
> > Are there other ways of doing it?
>
> Of course, this is Unix so there's always other ways to do it :)
>
> One way that springs to mind is sudo. This will give you some flexability
> on what can be run, who can run them, and what is needed in the way of
> passwords (eg, password of the user running it, password of the user you're
> going to run the program as, no password, etc).
>
> As a rule, setuid is evil and should be avoided at all cost.
>
> On a sort of aside here, lots of people running Unix boxes at home
> (particularly with a single user) do things the "wrong" (note the quotes!)
> way, with the excuse that it doesn't matter on such a small setup.
>
> If you've got any intention of ever using your home experience for any
> further good, be that commercially, for charity, or ever just helping a
> friend I'd really suggest you try and do things one of the "right" ways.
> Good habits are good to learn early, and bad habits are hard to get out
> of. Using setuid might work fine on your single box at home, but it's
> just not going to cut it in a commercial environment.
>
> Scott.
>
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug
--
BONG: http://www.bong.com.au
EMAIL...
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
ICQ: 16867613
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
