Re: Enabling telnet, ftp, pop3 for root...

Ertugrul Soeylemez wrote:

matt_left_coast <not@xxxxxxxxxx> (06-04-06 19:18:15):

I notice that you did not address BOTH the issues I raised. It
would be impossible to admin a system without giving access to an
editor as root. In that case, logging is disabled. Might just as
well give them access to a shell.

It is possible. You can write small wrapper scripts or programs,
which copy some file in user's writable space over the actual
configuration file. This allows the user to edit configuration
files without needing to use an editor as root.

However, the configuration files themselves may raise security
risks. One good reason to read the docs and be very careful.

Dude, you can edit scripts and run them AS ROOT and only the name of
the script is logged by sudo.

I write a program, which does nothing more than copying a file from the
writable space of a user over a system-wide configuration file. That
program is owned by root:root and has the SetUID bit. The configuration
file is not dangerous. This should be perfectly secure.

How? How would your "script" Prevent

vi /etc/init.d/crond
/etc/init.d/crond start

?



Regards.

--


.

Relevant Pages

  • Re: Enabling telnet, ftp, pop3 for root...
    ... would be impossible to admin a system without giving access to an ... files without needing to use an editor as root. ... writable space of a user over a system-wide configuration file. ...
    (alt.os.linux)
  • Re: Unable to set DISPLAY localhost:0.0 / Solved
    ... [root@localhost root]# date ... # This is the ssh client system-wide configuration file. ... # Kerberos TGT Passing only works with the AFS kaserver ...
    (Fedora)
  • SUMMARY and apology Re: Some bash/tty questions
    ... Some people tend to create complex login scripts ... If you don't allow direct login to root, but rather su to root, then so ... Hi, not to bash down on bash, but perhaps you should try zsh, it has the shared history thing built in. ...
    (SunManagers)
  • RE: suEXEC
    ... Change your web scripts to create a file of usernames to create, for example, /var/tmp/users. ... The file should be owned by root, group apache, with permissions 660. ... first virtual hosting is showing username cgiuser but second virtual ...
    (RedHat)
  • Re: Run script as root from WebServer
    ... through a web interface. ... The problem is that some of these scripts deal with configuration files and ... some other tasks that require root privileges. ... This allows the www user to run the wireless connection setup/teardown ...
    (freebsd-questions)