pentch@milton.acs.washington.edu (Dean Pentcheff) (02/28/90)
On the Next that I adminstrate, we've just discovered that any user (via Preferences) can reset the system clock to any arbitrary value. This is unacceptable. How can I disable users' ability to do this? -Dean
hoodr@syscube.csus.edu (Robert Hood) (03/02/90)
In article <2170@milton.acs.washington.edu> pentch@milton.acs.washington.edu (Dean Pentcheff) writes: >On the Next that I adminstrate, we've just discovered that any user >(via Preferences) can reset the system clock to any arbitrary value. >This is unacceptable. > >How can I disable users' ability to do this? > Yes...I just did that earlier this week! 1) Use fsectbyname (from most NeXT archives) to remove the time panel from prefences: fsectbyname r Preferences __NIB time > time.nib 2) Use InterfaceBuilder to modify time.nib. DO NOT MAKE THE FILE BIGGER. In otherwords don't add anything. I also don't recommend removing any of the buttons either. I resized the window to make it larger. I then draged all the stuff I didn't want modified down towards the bottom. Then I resized the window to cover up the stuff! (Make sure you resize it to the same size it was before). The only button I left was the button that changes the clock face. 3) Reload time.nib into Preferences. fsectbyname w Preferences __NIB time < time.nib Don't do this on your only copy! Robert Hood -- California State University: Sacramento (916) 278-7402 INTERNET: hoodr@csus.edu <-- NeXT mail too! BITNET: hoodr@CALSTATE UUCP: ...!ucdavis!csusac!hoodr
mic@ut-emx.UUCP (Mic Kaczmarczik) (03/03/90)
>In article <2170@milton.acs.washington.edu> pentch@milton.acs.washington.edu (Dean Pentcheff) writes: >On the Next that I adminstrate, we've just discovered that any user >(via Preferences) can reset the system clock to any arbitrary value. >This is unacceptable. Yes, it is. A way to disable this might be to remove the set-uid protection bit from Preferences (e.g. chmod 775 /NextApps/Preferences). This way, anything in Preferences that requires Unix superuser permissions (like changing the @!#&^% boot disk) will fail unless the *superuser* does it. Anything Preferences does to a user's home directory should still work. I haven't tried this, but in general, one sure way to keep an incautious setuid program from messing up your system is to remove the setuid bit entirely. Alternatively, perhaps NeXT should consider requiring you to type in the system administrator password before setting things that affect the entire system. -- Mic Kaczmarczik mic@emx.utexas.edu (Internet) Unix/VMS/Cyber Services mic@utaivc (BITNET) UT Austin Computation Center ...!cs.utexas.edu!ut-emx!mic (UUCP) COM 1/UT Austin/Austin TX 78712 ``Good tea. Nice house.'' -- Worf Please direct consulting questions to gripe@{emx,ix2,ccwf,iv1} as appropriate.
bob@MorningStar.Com (Bob Sutterfield) (03/03/90)
In article <25424@ut-emx.UUCP> mic@ut-emx.UUCP (Mic Kaczmarczik) writes:
Alternatively, perhaps NeXT should consider requiring you to type
in the system administrator password before setting things that
affect the entire system.
But that would destroy the quaint personal computer feel of the
system, and make it seem too much like a UNIX workstation.
rogerj@batcomputer.tn.cornell.edu (Roger Jagoda) (03/03/90)
In article <1990Mar2.023809.25321@csusac.csus.edu> hoodr@syscube.UUCP (Robert Hood) writes: >In article <2170@milton.acs.washington.edu> pentch@milton.acs.washington.edu (Dean Pentcheff) writes: >>On the Next that I adminstrate, we've just discovered that any user >>(via Preferences) can reset the system clock to any arbitrary value. >>This is unacceptable. >> >>How can I disable users' ability to do this? >> >Yes...I just did that earlier this week! > >1) Use fsectbyname (from most NeXT archives) to remove the time panel > from prefences: Yes, you could do that but there's a MUCH easier way: su to root chmod ug-s Preferences exit Changing passwd still works because NetInfo takes care of this, only the call to `date` is disabled and that's what we're after, isn't it? --Roger Jagoda --CORNELL University --FQOJ@CORNELLA.CIT.CORNELL.EDU
mic@ut-emx.UUCP (Mic Kaczmarczik) (03/04/90)
In article <BOB.90Mar2161018@volitans.MorningStar.Com> bob@MorningStar.Com (Bob Sutterfield) writes: >In article <25424@ut-emx.UUCP> mic@ut-emx.UUCP (Mic Kaczmarczik) writes: > Alternatively, perhaps NeXT should consider requiring you to type > in the system administrator password before setting things that > affect the entire system. > >But that would destroy the quaint personal computer feel of the >system, and make it seem too much like a UNIX workstation. Hmm, yes. A personal computer that actually kept users out of each others' hair *would* be sort of strange, wouldn't it? :-) :-) :-) -- Mic Kaczmarczik mic@emx.utexas.edu (Internet) Unix/VMS/Cyber Services mic@utaivc (BITNET) UT Austin Computation Center ...!cs.utexas.edu!ut-emx!mic (UUCP) COM 1/UT Austin/Austin TX 78712 ``Good tea. Nice house.'' -- Worf Please direct consulting questions to gripe@{emx,ix2,ccwf,iv1} as appropriate.
freek@fwi.uva.nl (Freek Wiedijk) (03/04/90)
In article <25477@ut-emx.UUCP> mic@emx.utexas.edu (Mic Kaczmarczik) writes: >Hmm, yes. A personal computer that actually kept users out of each >others' hair *would* be sort of strange, wouldn't it? :-) :-) :-) Hmm. A personal computer that has more than ONE user is not very *personal*, so your remark should have been... A personal computer that kept a user out of his own hair *would* be sort of strange, wouldn't it? :-) :-) :-) -- Freek "the Pistol Major" Wiedijk Path: uunet!fwi.uva.nl!freek #P:+/ = #+/P?*+/ = i<<*+/P?*+/ = +/i<<**P?*+/ = +/(i<<*P?)*+/ = +/+/(i<<*P?)**