At 22:36 24/02/2004, David Schultz wrote: >This is the third time this issue has been discussed, so before >the same arguments are rehashed, I'd like to lay out a simple plan >that I think people are unlikely to object to. (If anyone *does* >object, please say so.) I object. :) >(1) Fix login(1) so that it disables the -p option when the target > user's shell is not in /etc/shells (unless the invoking user > is root) Adding /sbin/nologin to /etc/shells is a standard way to create ftp-only users. This may or may not be the appropriate solution, but it is widely used. >(2) Make nologin(8) setgid nobody, so rtld ignores LD_LIBRARY_PATH. Wearing my member-of-security-team hat, I have to say I'm rather unhappy with this idea. It's also been pointed out (by nectar) that there are issues with NFS if files are owned by nobody or nogroup. Colin PercivalReceived on Tue Feb 24 2004 - 14:04:28 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:44 UTC