| 1 |
On 02/21/2015 01:35 AM, Ulrich Mueller wrote: |
| 2 |
|
| 3 |
> Personally, I think that controlling who is allowed to run certain |
| 4 |
> types of applications via group membership is a great idea. We |
| 5 |
> should introduce that approach for other applications too. How |
| 6 |
> about an "editors" group? Text editors are potentially dangerous |
| 7 |
> because they allow users to modify files. Therefore, the system |
| 8 |
> administrator should add only trusted users to the "editors" group |
| 9 |
> so they can run programs like emacs, nano, or vim from the |
| 10 |
> app-editors category. |
| 11 |
> |
| 12 |
|
| 13 |
Protect the permissions on the files, not the editors - there's always |
| 14 |
another way to get content into a file if you have write permission to it. |
| 15 |
If you try to do that with a g+xo-x, then you're going to have to do the |
| 16 |
same for every single command that can put output in a file (sed, curl, |
| 17 |
wget, heck, anything that can be piped, every shell), and then your system |
| 18 |
doesn't even need users anymore, because no user can do anything at all for |
| 19 |
fear they might write to a file! |
Archives