Prev: Magic Mouse review
Next: where are my console message????!!!! ##@@$$#$%#!
From: Geoffrey S. Mendelson on 4 Nov 2009 14:59
Doug Anderson wrote:

> I suppose you could change the privileges on the folder to allow a
> non-root user to write files there, though depending on the folder I
> suppose there could be some unintended consequences of that.

The folder in question was /usr/local/bin which is really something that
should be read only except to someone who administers the system. However,
AFAIK it's not used in normal Mac operations, only in command line processes
(terminal.app for example) or XWindows.

This is really UNIX related and not MacOS specific. So I may lose people
who are not fluent in UNIX operations and permissions.

MacOS (at least leopard) supports groupids, and /usr/local/bin is owned by
root, group admin. It's writeable only by root. You could change it to be
writeable by admin (mode 775 instead of 755) which would have the side effect
of allowing any administrator to be able to write to it at any time.

The other possibility is to make a new group, or use wheel (group id 0),
which limits the exposure. I don't know if there is any other problem
caused by this.

Since it most likely will be used by shell scripts or XWindows programs,
you could just create an arbirtary user, for example "fred" and a bin
directory below his home. Then you would make /Users/fred world readable
(which I think it is by default) and the same with /Users/fred/bin.

Then the shell scripts would have /Users/fred/bin added to their path.

This would be better IMHO as there is little security exposure, no changes to
the Apple provided system except for adding the userid in the first place
and and putting the directory in /etc/paths.

Geoff.

--
Geoffrey S. Mendelson, Jerusalem, Israel gsm(a)mendelson.com N3OWJ/4X1GM
From: Jack Shown on 6 Nov 2009 16:49
On Nov 4, 10:05 am, johnny bobby bee <stepore-no_spam_...(a)gmail.com>
wrote:
> Jack Shown wrote:
> > If root is not enabled (other than by sudo), is it possible to scp a
> > file to a root-owned folder?  If so, could you please provide an
> > example?  Thanks a bunch.
>
> Be specific as to what you're trying to achieve.
>
> Or, just copy it as a normal user to your home directory then use sudo
> to put it where you want.

I have a cronjob which executes every morning on 25 iMac C2Ds. I just
placed it on all 25 iMacs but now I want to modify it and anticipate
wanting to modify it in the future. I don't want to have to sudo on
all 25 iMacs every time. Thanks.
From: Jack Shown on 6 Nov 2009 17:03
On Nov 4, 11:59 am, "Geoffrey S. Mendelson" <g...(a)mendelson.com>
wrote:
> Doug Anderson wrote:
> > I suppose you could change the privileges on the folder to allow a
> > non-root user to write files there, though depending on the folder I
> > suppose there could be some unintended consequences of that.
>
> The folder in question was /usr/local/bin which is really something that
> should be read only except to someone who administers the system. However,
> AFAIK it's not used in normal Mac operations, only in command line processes
> (terminal.app for example) or XWindows.
>
> This is really UNIX related and not MacOS specific. So I may lose people
> who are not fluent in UNIX operations and permissions.
>
> MacOS (at least leopard) supports groupids, and /usr/local/bin is owned by
> root, group admin. It's writeable only by root. You could change it to be
> writeable by admin (mode 775 instead of 755) which would have the side effect
> of allowing any administrator to be able to write to it at any time.

Wouldn't I need to do a chmod of all three directories as in:

chmod 775 /usr /usr/local /usr/local/bin

Otherwise, wouldn't the group permissions of the parent directory
cause me grief? And, if I did this, does that create a security
hazard?

I guess I could just place the file in ~admin/bin and create a hard
link to it in /usr/local/bin on each machine or just modify /etc/
crontab on each machine. Then I could always do the scp without
issues.

Thanks for your help.


> The other possibility is to make a new group, or use wheel (group id 0),
> which limits the exposure. I don't know if there is any other problem
> caused by this.
>
> Since it most likely will be used by shell scripts or XWindows programs,
> you could just create an arbirtary user, for example "fred" and a bin
> directory below his home. Then you would make /Users/fred world readable
> (which I think it is by default) and the same with /Users/fred/bin.
>
> Then the shell scripts would have /Users/fred/bin added to their path.
>
> This would be better IMHO as there is little security exposure, no changes to
> the Apple provided system except for adding the userid in the first place
> and and putting the directory in /etc/paths.
>
> Geoff.
>
> --
> Geoffrey S. Mendelson, Jerusalem, Israel g...(a)mendelson.com  N3OWJ/4X1GM

First  |  Prev  | 
Pages: 1 2
Prev: Magic Mouse review
Next: where are my console message????!!!! ##@@$$#$%#!