[PLUG] Strange feature wanted...

Daniel Pittman daniel at rimspace.net
Tue Dec 28 06:12:01 UTC 2010 

On Tue, Dec 28, 2010 at 17:04, drew wymore <drew.wymore at gmail.com> wrote:
> On Mon, Dec 27, 2010 at 8:22 PM, Michael C. Robinson <
> plug_1 at robinson-west.com> wrote:
>
>> Standard on Linux is that root can read any file on the local file
>> system.  Unfortunately, to get OpenDNS to update via ddclient, you
>> have to know the username and password of the account that needs
>> updating.  Is it possible to connect a password to ddclient.conf
>> or better yet require entry of the password in the file before it
>> can be opened?

No.  At least, not without something like SELinux, which root would
ultimately be able to work around anyhow unless you invest ... an
awful lot of time and effort in security.  (eg: also lock down any way
to bypass SELinux, and raw device access, and segment off software for
security, and prevent network sniffing, and so on and so on.  Not
impossible, just a *lot* of work.)

>> Basically, what I am interested in is password
>> protecting a single file and requiring that even the super user
>> enter that password to access it, unless the super user wants to
>> delete it.  This way, in a sense, there can be more than one superuser
>> and it becomes possible to delegate maintenance of OpenDNS for example
>> to someone else.
>>
>> Frankly, I think it is stupid that you can't ask the OpenDNS servers
>> to update an account without logging in to that account, hint hint.

If they permitted that, and didn't use some password-equivalent, then
anyone could change your settings, right?  I could do that just by
guessing your non-secret account name or whatever...

> That's the whole idea behind sudo.

Well, the whole "delegate limited authority" thing is, yeah.  It
doesn't solve the protection of the file, but it allows you to write
something that has limited capabilities that you can give to another
user so that they can interact with OpenDNS but not obtain access to
the credentials.

Not that this is trivial to do either, but less hard than securing the
file itself. :)

Regards,
    Daniel
-- 
✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
              ♽ made with 100 percent post-consumer electrons

More information about the PLUG mailing list