--- jdow <jdow@xxxxxxxxxxxxx> wrote: > > The /sbin and /usr/sbin directories are generally commands that users > should not use and which may not work at all for users. It is a basic > part of the security of the system. Unfettered access to ifconfig gives > a really nice way to perform nastiness on your system by bringing up > or down various interfaces. It's somewhat handy if commands users are > not expected to use are not on the user's path. I tried to execute ifconfig eth0 down on my system as non-root, and got permission denied. If you're going to restrict access to the commands in /sbin, you should also change the permissions on the /sbin directory so unauthorized personnel can't reach it. As things stand now, you simply have security through obscurity, since users can change their own $PATH. Actually, if you're going to restrict users, you default their shell to /bin/rbash, set their $PATH to a small amount of directories, and make their .bashrc and .bash_profiles inaccessible. === Al
