[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: rejecting users without entires in passwd
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: rejecting users without entires in passwd
- From: Paul Robinson <paul_(_at_)_iconoplex_(_dot_)_co_(_dot_)_uk>
- Date: Fri, 11 Jul 2003 14:22:24 +0100
On Thu, Jul 10, 2003 at 01:44:55PM -0500, Benjamin A. Collins wrote:
> On Thu, Jul 10, 2003 at 02:17:24PM +0100, Paul Robinson wrote:
> > - All your user's spools and web content end up with the same UID. If you're
> > handing out CGI or PHP access, you've effectively given one user the rights
> > to trash the rest of your user's sites, steal their DB passwords they may
> > have in config files, etc.
> Huh? How do you figure that?
Your users exist in SQL/LDAP - the whole objective is to speed up auth and
to reduce the number of UIDs required. It's only relatively recently that
you could have more than 64k UIDs in /etc/passwd - that's not a lot of users
if you're an ISP. So, you end up giving your users the same UID and looking
after chrooting elsewhere.
> > - You can't give local users easy access to mail, web, and likewise these
> > "special" SQL-based users can't be given local shell access. All a bit
> > weird.
Your users in SQL/LDAP aren't users. Unix has no knoledge of them. You can't
give them shell access. Likewise, if your mail system is configured to look
after these users that don't exist, the real local shell users are going to
have problems dealing with mail.