On Saturday 06 December 2008 11:56:31 Jesse Keating wrote: > ordinary user cannot possibly use these tools since they do not have the > > > requisite permissions. > > Now I'm confused. Why would the binary have to be suid? Because if they didn't type --help, we are going to have to log the attempted compromise. Sending an audit event requires CAP_AUDIT_WRITE. You have to be setuid root from the beginning or not at all. > It seems that the cert folks have a different definition of "use" than > we do. A normal user should be able to use the binary to get help > output, and the binary would be useful in path for things like tab > completion leading up to a sudo call. An unprivileged user cannot successfully use this utility. Just like tcpdump can't be used. The difference is that shadow-utils modifies a trusted database and tcpdump doesn't. If you need to see the command options, look at the man page. That's what its there for. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
