[TAG] lpr works for user not root in Basiclinux 2.1
ben at linuxgazette.net
Sun Feb 25 04:49:42 MSK 2007
On Tue, Feb 20, 2007 at 10:06:26PM -0500, Sindi Keesan wrote:
> On Mon, 29 Jan 2007, Rick Moen wrote:
> >> Besides running Opera (and maybe dialing and/or loading Xvesa and
> >> rxvt) as user should I take any other precautions on their computers?
> > I don't know how many times I'm willing to say "Your design is
> > fundamentally bad, if only because it uses root logins by default."
> > This is probably the last time, as obviously I'm wasting my time.
> > I stated, for that reason, that I was uninterested in helping users
> > unwilling to do that basic step correctly -- and I meant what I said.
> We had a long discussion about why it is bad to go online as root, which
> is how Basiclinux is set up to operate.
> My current compromise is to:
> 1. Dial as root (because dialing as user would give the user access to
> the login name and password, which would then let anyone with access to
> the user account know these, and besides if I try to dial as user pppd
> complains about not having /etc/ppp/options, which root does not need).
Just to correct a misconception on your part: the information in
/etc/ppp/*-secrets does not have to be readable by the user; this is why
'/usr/sbin/pppd' is set SUID 0. In fact, that's the default
configuration on every Linux system I've seen, including the one I've
just set up on my new laptop:
ben at Tyr:~$ ls -l /usr/sbin/pppd /etc/ppp/*secrets
-rw------- 1 root root 80 2006-05-30 20:58 /etc/ppp/chap-secrets
-rw------- 1 root root 1628 2006-05-30 20:58 /etc/ppp/pap-secrets
-rwsr-xr-- 1 root dip 306720 2006-07-05 06:22 /usr/sbin/pppd
The above means that any user who is part of group 'dip' can execute
'pppd' - and since 'pppd' runs as root, it can read the files that
contain the name and the password.
In other words, it appears as though you're taking a mechanism that
works just fine and changing it so that it will do the same thing as
it's doing now. I suggest that understanding the current mechanism would
serve you better than trying to construct something new from the ground
up - especially since it's not new.
> 3. Put into /home/user/profile the line startx (rather than editing
> inittab to make vt1 run X, which does not work any more anyway once you
> add a user account).
This means, of course, that you'll be trying to start X every time you
log in. Perhaps making it conditional would work better.
> Permission denied (publickey, password, keyboard-interactive).
> If I login user:
> ssh_askpass: exec (/opt/diet/libexec/ssh_askpass): No such file or
> Write failed: broken pipe
> (I don't even have an /opt).
In that case, either recompiling 'ssh' to look for 'ssh_askpass' in a
different place, or creating the above path and a link to the
actual location of 'ssh_askpass' should help.
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
More information about the TAG