That's actually a good idea. Some commercial systems (I'm
most familiar with AIX and Solaris but the same logic applies
to others since its inherent in the semantics of the groups
access) use this kind of 'trick'. The most visible is the
'Wheel Group' restriction for the SU command.

However this is a nice idea. It can be applied in a wide
scope of situations. It can be used to delegate the power
usually reserved for root when combined with 'multiple
accounts with the same UID' trick that Spaff and Garfinkel
describe in "Practical UNIX & Internet Security" from
O'Reilly. If you don't have this book I strongly recommend it.

I've used this technique to delegate out functions that are
usually reserved for Root, such as DNS administration.

Of course if this is just you on your LINUX workstation
at home, this may all be too esoteric ...

Anton J Aylward

--
--------------------------------------------------------------------
Security is not something that comes in 
a self-contained box. It is an attribute 
of how you do business and as such 
needs to be managed carefully.
      - Karen Goertzel, Wang Federal Inc.
> -----Original Message-----
> From:  Tzafrir Cohen
> Sent: Wednesday, February 21, 2001 7:55 PM
> >
> 
> If you fear local exploits,  unset the suid
> bit of the crontab executable, or make it executable only 
> to a certain group of users.
> 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]