What to do when a command isn't found?
Al Sparks
data345 at yahoo.com
Thu Jul 6 19:53:28 UTC 2006
--- jdow <jdow at earthlink.net> wrote:
>
> The /sbin and /usr/sbin directories are generally commands that users
> should not use and which may not work at all for users. It is a basic
> part of the security of the system. Unfettered access to ifconfig gives
> a really nice way to perform nastiness on your system by bringing up
> or down various interfaces. It's somewhat handy if commands users are
> not expected to use are not on the user's path.
I tried to execute
ifconfig eth0 down
on my system as non-root, and got permission denied.
If you're going to restrict access to the commands in /sbin, you
should also change the permissions on the /sbin directory so
unauthorized personnel can't reach it. As things stand now, you
simply have security through obscurity, since users can change their
own $PATH.
Actually, if you're going to restrict users, you default their shell
to /bin/rbash, set their $PATH to a small amount of directories, and
make their .bashrc and .bash_profiles inaccessible.
=== Al
More information about the users
mailing list