From owner-freebsd-questions  Sat Jun  1 07:18:18 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA20124
          for questions-outgoing; Sat, 1 Jun 1996 07:18:18 -0700 (PDT)
Received: from gatekeeper.fsl.noaa.gov (gatekeeper.fsl.noaa.gov [137.75.131.181])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA20116
          for <questions@freebsd.org>; Sat, 1 Jun 1996 07:18:15 -0700 (PDT)
Received: from emu.fsl.noaa.gov (kelly@emu.fsl.noaa.gov [137.75.60.32]) by gatekeeper.fsl.noaa.gov (8.7.5/8.7.3) with ESMTP id OAA26468; Sat, 1 Jun 1996 14:18:12 GMT
Message-Id: <199606011418.OAA26468@gatekeeper.fsl.noaa.gov>
Received: by emu.fsl.noaa.gov
	(1.40.112.3/16.2) id AA128278692; Sat, 1 Jun 1996 08:18:12 -0600
Date: Sat, 1 Jun 1996 08:18:12 -0600
From: Sean Kelly <kelly@fsl.noaa.gov>
To: dbabler@Rigel.orionsys.com
Cc: questions@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960531170148.29128C-100000@Rigel.orionsys.com>
	(message from David Babler on Fri, 31 May 1996 17:09:24 -0700 (PDT))
Subject: Re: Limiting access
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>>>>> "David" == David Babler <dbabler@Rigel.orionsys.com> writes:

    David> I assume the real problem would be if a user just deleted
    David> the stock .rhosts in their directory and replaced it with
    David> one of their own, thus making that a trusted system. I
    David> believe if I change permissions so they can't delete the
    David> file, I'm okay, yes?

Yes, but that would mean changing owners on users' home directories.
To prevent users from removing the .rhosts file, you'd have to make
sure they didn't own their own home directories.  And since they
didn't own them, they couldn't create any new files or subdirectories
unless you gave them appropriate permissions---and then they'd be able
to remove and create a new .rhosts file.  (But some clever combination
of owner, mode, and sticky bit might work.)

Probably the right answer is to use the /etc/login.access file.
See login.access(5) and the sample, commented-out entries in
/etc/login.access.

-- 
Sean Kelly                          
NOAA Forecast Systems Laboratory    kelly@fsl.noaa.gov
Boulder Colorado USA                http://www-sdd.fsl.noaa.gov/~kelly/