Date: Fri, 6 Jun 2003 13:33:04 +0100 From: Daniel Bye <dan@slightlystrange.org> To: freebsd-questions@FreeBSD.ORG Subject: Re: passwd Message-ID: <20030606123304.GA36887@catflap.home.slightlystrange.org> In-Reply-To: <20030606122644.53704.qmail@web41111.mail.yahoo.com> References: <20030606122644.53704.qmail@web41111.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 06, 2003 at 01:26:44PM +0100, Mark Redding wrote: > Hi all, > > I'm building a system (FreeBSD 4.7) which upon which I > wish the majority of users to only have extremely > limited access to (ie. to be able to telnet > elsewhere). > > One of the things I've done is to "chmod o-rwx" most > everything in /bin/ /sbin/ /usr/bin/ /usr/sbin/ and > /usr/libexec/ > > The only commands that users can access now are > "passwd" and "telnet" as I've changed permissions to > give them "r-x" access to these commands, and also to > /usr/libexec/ld.elf* > > The problem I have at present is that users can > telnet, but they cannot issue the passwd command > without getting :- > > passwd: permission denied > > Does anyone know what other commands passwd may be > trying to execute, or of any way I can 'trace' the > program to see what it's trying to do (I've KTRACE > switched OFF in the kernel and have no intention of > switching it on). passwd needs to run setuid root, so it can write the new password to /etc/master.passwd: [homer: danielby: ~]$ ls -l `which passwd` -r-sr-xr-x 2 root wheel 32824 19 May 11:04 /usr/bin/passwd* You need to re-enable the setuid bit. While a lot more work, you might want to look at jail(8) - you can then provide only those programs you want your users to have access to, while leaving the base system a bit more sane. It takes a bit of tinkering, but works reasonably well. > > thanks in advance, > > Mark Redding. > > > ===== > Mark W J Redding > > __________________________________________________ > Yahoo! Plus - For a better Internet experience > http://uk.promotions.yahoo.com/yplus/yoffer.html > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030606123304.GA36887>