eps@toaster.SFSU.EDU (Eric P. Scott) (11/16/89)
"Note that if your computer is on a network, its internal clock might be managed by a system administrator, in which case the Set button is dimmed." -- p.332 in the Useless Reference Manual This is the only documented indication I could find that it's even possible to prevent malicious or curious users from screwing up the date and time. Does Preferences look for a running ntpd and/or timed? Can I safely strip it of its set-uid bit? Will this break password changing? -=EPS=-
feldman@umd5.umd.edu (Mark Feldman) (11/16/89)
In article <127@toaster.SFSU.EDU> eps@cs.SFSU.EDU (Eric P. Scott) writes: >"Note that if your computer is on a network, its internal clock >might be managed by a system administrator, in which case the >Set button is dimmed." -- p.332 in the Useless Reference Manual > >This is the only documented indication I could find that it's >even possible to prevent malicious or curious users from screwing >up the date and time. Does Preferences look for a running ntpd >and/or timed? Can I safely strip it of its set-uid bit? Will >this break password changing? > -=EPS=- Preferences doesn't look for anything. Stripping the setuid bit will do what you want without any harmful side effects. I have been running Preferences this way on all of my NeXTs for quite some time. Password changing in Preferences is unaffected. This is probably due to the fact that NetInfo is used when you change your password with Preferences, and since /etc/passwd is not being modified, you don't have to be root. There are several other stuid bits that you might want to strip: /NextApps/BuildDisk -- leaving it setuid is just asking for trouble. It does no security/authorization checks whatsoever, and will destroy the boot device at any user's request. In many (most?) situations, there is no need to leave this program on the system unless you are into building flopticals or like to keep a complete distribution on your cubes. /NextApps/Printmanager -- do you really want users reconfiguring or removing your print queues? A naive user can easily do this by accident. All of the programs in /NextAdmin -- While these programs perform a security check, asking for the root password before allowing you to run the program or make changes (depending on the program), they do not check to see if you are in the wheel group. If you have opted for the default, secure su, where you must be in the wheel group before su'ing root, then leaving these programs setuid removes that added wheel group security. When we first saw that you could change A time in Preferences, we wondered what time was being changed. After all, no one would let any user change THE time, would they?-( Mark
izumi@violet.berkeley.edu (Izumi Ohzawa) (11/18/89)
In article <127@toaster.SFSU.EDU> eps@cs.SFSU.EDU (Eric P. Scott) writes: >"Note that if your computer is on a network, its internal clock >might be managed by a system administrator, in which case the >Set button is dimmed." -- p.332 in the Useless Reference Manual I couldn't figure out what this meant, and our machine is running stand-alone. So, I modified Preferences in /NextApps using "fsectbyname" utility and IB. You can extract appropriate .nib file with fsectbyname, edit it by IB to break connection from "SET" button, and put back the modified .nib file back into Preferences executable. "fsectbyname" sources and executable are available from one of anonymous FTP sites (which I dont remember at the moment). Izumi Ohzawa.
ali@polya.Stanford.EDU (Ali T. Ozer) (11/21/89)
In article <1989Nov18.035121.8882@agate.berkeley.edu> Izumi Ohzawa writes: > ... So, I modified Preferences in /NextApps >using "fsectbyname" utility and IB. You can extract appropriate .nib file >with fsectbyname, edit it by IB to break connection from "SET" button, and >put back the modified .nib file back into Preferences executable. Wow. That fsectbyname is pretty handy! One recommendation, especially when you modify apps on a machine that might be used by many different people: Please try to indicate, somehow, that the app is modified (perhaps in the info box, which you can also edit, or in the title bar, or right where you modified it), and, if you can, put the modified app in /LocalApps, not /NextApps. Otherwise someone who is not aware of the change will come along and get very confused and contact a campus support person or NeXT Tech Support who will even be confused more. Ali