rash & passwd
Andrew Adams
Tue May 3 14:39:13 CEST 1994
Yep, this answers my question. (Sorry to drag you away from your vacation :-( ). >Second, the guardian box is not integrated with the rest of the >network, thus if it's broken, it doesn't mean the end of your >network. I don't understand the above statement, though. Thanks. -Andy >On Mon, 2 May 1994 16:10:45 -0400 Andrew Adams wrote: >> Hi. I was wondering if you guys had perhaps responded to dsj's question >> of last week concerning rash and passwd and I just didn't see it. We were >> wondering how you handle letting users set their own passwds with a >> chrooted shell. (The problem being that even if you give them their own >> copy of passwd under the "new" root, the _real_ /etc/passwd file can't >> be updated and thus telnet can't make use of the new passwd.) >> >> Did you guys write your own copy of passwd? > >That one is on my plate. I didn't have time to look at it yet >(and I'm on vacation now...). At this time, the password is >not settable by a rash user; they send in a UNIX-encrypted >password or get a (random word) password assigned. > >Password is a dangerous program, both because it changes behaviour >pending on argv[0] and command line arguments, and because it >currently runs as root. I intend to make a second password-file >(owned by a pseudo-user), from which *only* the password-entry >is copied to the Master Password file (say, once a day). >The rest of the entries (e.g. the dangerous shell field) >are kept in another file OUTSIDE the rash environment. > >Please note that rash is still pretty dangerous; write a perl >script in your guardian file, execute it, and put the 'real' >guardian file back. We have not made this public.. >I *don't* want a setiud root program in there if I can avoid it. > >Second, the guardian box is not integrated with the rest of the >network, thus if it's broken, it doesn't mean the end of your >network. > >I intend to work on the merge thing next week. >Is this sufficient? > >Geert Jan > > > >> > > >> (Dale's on vacation until Wednesday so we can't ask him if he got a reply. : - >) ) >> >> Thanks. >> >> Andy -------- Logged at Tue May 3 14:50:52 MET DST 1994 ---------
[ rr-impl Archive ]