Tony <mts.spb.suxx@mail.ru> wrote:
On 7 Jan 2005 17:44:45 GMT, David Gibbs <> dagibbs@qnx.com> > wrote:
I think of making all the users’ folders belong to root, put the sticky
bit on them on, let users access their’s folders via group permissions.
Not what I would recommend. The normal (and expected) way is for each
user to own their home directory.
Well, the shere fact that user IS ABLE to remove root-owned read-only
.profile file in his folder and replace it with whatever he wants -
strikes me!
Actually, the .profile in his home directory is INTENDED to be modified
by each user. If you want stuff that is NOT so modified, you should be
using /etc/profile instead.
The $HOME/.profile that is put there during creation is a default one.
At startup, if the shell is a login shell, it will parse & execute:
/etc/profile
$HOME/profile
$ENV
The /etc/profile is intended to be the global, system wide,
non-user-modifiable stuff. The $HOME/profile is intended to
be the place for user-modifiable changes, it is where a user
is expected to start changing their login environment.
$HOME/profile usually specifies a ENV (traditional $HOME/.kshrc)
for further processing.
If you need to have per-user non-changeable customizations of the
shell, you would need to setup something that /etc/profile would
invoke… maybe a line in /etc/profile like:
… /etc/users_config/$LOGNAME.sh
The same (or even worse) happens if user (or an intruder on
user’s behalf) is able to modify his SSH-1 keys…
(SSH-1 is not considered secure any more, SSH-2 allows to hide user’s keys
in user-inaccessible folder, but for performance reasons I use SSH-1 on
the installation. I know - it is not 100% paranoid, but an embedded system
rarely is CPU-rich, one has to go for the compromises…)
I don’t know enough to comment on SSH-1 keys.
-David
David Gibbs
QNX Training Services
dagibbs@qnx.com