From owner-freebsd-questions@FreeBSD.ORG Fri Jun 6 05:33:12 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB7F737B401 for ; Fri, 6 Jun 2003 05:33:12 -0700 (PDT) Received: from catflap.home.slightlystrange.org (pc4-cmbg1-4-cust87.cmbg.cable.ntl.com [80.6.127.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9008D43F3F for ; Fri, 6 Jun 2003 05:33:11 -0700 (PDT) (envelope-from dan@slightlystrange.org) Received: from danielby by catflap.home.slightlystrange.org with local (Exim 3.36 #1) id 19OGP2-0009hv-00 for freebsd-questions@FreeBSD.ORG; Fri, 06 Jun 2003 13:33:04 +0100 Date: Fri, 6 Jun 2003 13:33:04 +0100 From: Daniel Bye To: freebsd-questions@FreeBSD.ORG Message-ID: <20030606123304.GA36887@catflap.home.slightlystrange.org> Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <20030606122644.53704.qmail@web41111.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030606122644.53704.qmail@web41111.mail.yahoo.com> User-Agent: Mutt/1.4.1i X-Scanner: exiscan *19OGP2-0009hv-00*PZE2alL6jZw* (SlightlyStrange.org, Using NOD32 http://www.nod32.com) Subject: Re: passwd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dan@slightlystrange.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2003 12:33:13 -0000 On Fri, Jun 06, 2003 at 01:26:44PM +0100, Mark Redding wrote: > Hi all, > > I'm building a system (FreeBSD 4.7) which upon which I > wish the majority of users to only have extremely > limited access to (ie. to be able to telnet > elsewhere). > > One of the things I've done is to "chmod o-rwx" most > everything in /bin/ /sbin/ /usr/bin/ /usr/sbin/ and > /usr/libexec/ > > The only commands that users can access now are > "passwd" and "telnet" as I've changed permissions to > give them "r-x" access to these commands, and also to > /usr/libexec/ld.elf* > > The problem I have at present is that users can > telnet, but they cannot issue the passwd command > without getting :- > > passwd: permission denied > > Does anyone know what other commands passwd may be > trying to execute, or of any way I can 'trace' the > program to see what it's trying to do (I've KTRACE > switched OFF in the kernel and have no intention of > switching it on). passwd needs to run setuid root, so it can write the new password to /etc/master.passwd: [homer: danielby: ~]$ ls -l `which passwd` -r-sr-xr-x 2 root wheel 32824 19 May 11:04 /usr/bin/passwd* You need to re-enable the setuid bit. While a lot more work, you might want to look at jail(8) - you can then provide only those programs you want your users to have access to, while leaving the base system a bit more sane. It takes a bit of tinkering, but works reasonably well. > > thanks in advance, > > Mark Redding. > > > ===== > Mark W J Redding > > __________________________________________________ > Yahoo! Plus - For a better Internet experience > http://uk.promotions.yahoo.com/yplus/yoffer.html > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \