1 |
On 02/21/2015 01:35 AM, Ulrich Mueller wrote: |
2 |
|
3 |
> Personally, I think that controlling who is allowed to run certain |
4 |
> types of applications via group membership is a great idea. We |
5 |
> should introduce that approach for other applications too. How |
6 |
> about an "editors" group? Text editors are potentially dangerous |
7 |
> because they allow users to modify files. Therefore, the system |
8 |
> administrator should add only trusted users to the "editors" group |
9 |
> so they can run programs like emacs, nano, or vim from the |
10 |
> app-editors category. |
11 |
> |
12 |
|
13 |
Protect the permissions on the files, not the editors - there's always |
14 |
another way to get content into a file if you have write permission to it. |
15 |
If you try to do that with a g+xo-x, then you're going to have to do the |
16 |
same for every single command that can put output in a file (sed, curl, |
17 |
wget, heck, anything that can be piped, every shell), and then your system |
18 |
doesn't even need users anymore, because no user can do anything at all for |
19 |
fear they might write to a file! |