Subject: Re: permissions & rc.conf
To: Jan Danielsson <jan.danielsson@gmail.com>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: netbsd-users
Date: 08/23/2005 20:43:33
--hD6P3ib1XCFtz2ni
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 23, 2005 at 08:37:08PM +0200, Jan Danielsson wrote:
> My university network requires a login/logout via https. To get around
> this annoyance, I have written a login script which handles everything
> automatically during boot and shutdown. I have created a
> /etc/rc.d/unilogin which handles the login/logout. In rc.conf I have:
>=20
> unilogin=3DYES
> unilogin_flags=3D"--user=3D<userid> --pass=3D<pass>"
>=20
> Notice the "--pass=3D" parameter; that's what I want to hide.

you could as well just put the unilogin_flags setting into
/etc/rc.conf.d/unilogin file with the appropriate permissions.

> In fact, if /etc/rc.conf is readable by everyone, it's like saying:
> Don't put important login information here. But what if I *need* to
> place important login information there? IMHO, there should be some
> clear way to do this. I was given a tip which suits me just fine, but
> unless it breaks anything, I see not reason why more files in /etc
> shouldn't be made non-readable by 'everyone'. It's basic security
> thinking, imho.

under normal operation users can obtain most of the information from
observing the system anyway (e.g., hostname, ps, ifconfig, netstat,
etc.).  with the security pov i find it better to have the private
information strictly separated from what is public knowledge anyway.


regards,

--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --

--hD6P3ib1XCFtz2ni
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFDC25ViwjDDlS8cmMRAjDkAJ9vP3PSsFN3JGpt+skT+07DmXHJXQCgjftl
21GpMKsHuxP4RszjZcYtiVU=
=fOCB
-----END PGP SIGNATURE-----

--hD6P3ib1XCFtz2ni--