From owner-freebsd-bugs Mon Apr 10 19: 3:34 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id 0DF9037B829 for ; Mon, 10 Apr 2000 19:03:29 -0700 (PDT) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 6924F1BF5; Mon, 10 Apr 2000 22:02:16 -0400 (EDT) From: Spidey MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14578.34727.921383.875698@anarcat.dyndns.org> Date: Mon, 10 Apr 2000 22:02:15 -0400 (EDT) To: Brooks Davis Cc: bugs@freebsd.org Subject: Re: bin/17910: Do not allow 'operators' to drop to single user via shutdown In-Reply-To: <20000410174843.A6634@orion.ac.hmc.edu> References: <20000410205113.4E0C219BC@anarcat.dyndns.org> <20000410142640.A16425@orion.ac.hmc.edu> <14578.29173.529447.273595@anarcat.dyndns.org> <20000410174843.A6634@orion.ac.hmc.edu> X-Mailer: VM 6.72 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Reply-To: beaupran@iro.umontreal.ca Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm happy with the solution. I just don't know how to "ask that the PR be closed". I just send another PR? Or do I write to FBSD-gnats-whatever? Yes, I though about the problems of having "operator" users... But my users are unlikely to be so wise, for now.. The shutdown thing was too obvious. A simple typo gave single-user mode in my setup (my console is "secure"). What "code" in TrustedBSD will change that? Thanks again --- At 17:48 of April 10, Big Brother made Brooks Davis write: > On Mon, Apr 10, 2000 at 08:29:41PM -0400, Spidey wrote: > > Oh. The system asks the root password on single-user shutdown when the > > console is marked as insecure? That is great. I think it solves it all. > > >From /etc/ttys: > > # If console is marked "insecure", then init will ask for the root password > # when going to single-user mode. > > You do that by removing the secure flag. > > If you're happy with this solution, please reply and ask that the PR be > closed (I can't do it.) > > > I found it weird that this was all wide open like that. :)) > > Giving out operator perms is probalby not the best idea. If nothing > else, a user in group operator can read any file on the system if they > are willing to take the time to do it. Hopefully some of these problems > will be lessened by the capabilities code from the TrustedBSD project > (http://www.TrustedBSD.org/). For now, if you need to give out operator > perms, you'll have to expect to close related holes yourself. > > -- Brooks > > -- > Any statement of the form "X is the one, true Y" is FALSE. -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message