How to run program as another user - and permanently dropping current user privileges?

Stuart Jansen sjansen at buscaluz.org
Tue Mar 13 21:10:05 MDT 2007


On Tue, 2007-03-13 at 18:12 -0600, Doran L. Barton wrote:
> Not long ago, Chris Carey proclaimed...
> > You can specifically deny SSH logins to that account by editing
> > /etc/ssh/sshd_config
> 
> See the DenyUsers directive in the sshd_config(5) man page. 

The problem with DenyUsers is that it put a finger in the dike, but
other leaks might appear. What if a junior admin turns telnet on? What
an less than trust worthy user with a local account decides to have a
little fun?

DenyUsers is black listing and may be part of a complete security
implementation, but AllowUsers is going to be more secure because it
uses white listing instead. Both do nothing to secur other channels,
however.

Best is to leave the user's shell as /bin/nologin and use "su -l -s -c"
or else sudo as Scott & Chris have suggested.

BTW: You'll probably want to set the user's password field back to
something impossible like "*" or "!".

-- 
Stuart Jansen              e-mail/jabber: sjansen at buscaluz.org
                           google talk:   stuart.jansen at gmail.com

"However beautiful the strategy, you should occasionally look at 
the results." -- Winston Churchill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20070313/79801641/attachment.bin 


More information about the PLUG mailing list