[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rejecting users without entires in passwd



On Thu, Jul 10, 2003 at 01:44:55PM -0500, Benjamin A. Collins wrote:

> On Thu, Jul 10, 2003 at 02:17:24PM +0100, Paul Robinson wrote:
> > - All your user's spools and web content end up with the same UID. If you're
> > handing out CGI or PHP access, you've effectively given one user the rights
> > to trash the rest of your user's sites, steal their DB passwords they may
> > have in config files, etc. 
> 
> Huh? How do you figure that?

Your users exist in SQL/LDAP - the whole objective is to speed up auth and 
to reduce the number of UIDs required. It's only relatively recently that 
you could have more than 64k UIDs in /etc/passwd - that's not a lot of users 
if you're an ISP. So, you end up giving your users the same UID and looking 
after chrooting elsewhere.
 
> > - You can't give local users easy access to mail, web, and likewise these
> > "special" SQL-based users can't be given local shell access. All a bit
> > weird.
> 
> Huh?  

Your users in SQL/LDAP aren't users. Unix has no knoledge of them. You can't 
give them shell access. Likewise, if your mail system is configured to look 
after these users that don't exist, the real local shell users are going to 
have problems dealing with mail.

-- 
Paul Robinson



Visit your host, monkey.org