Steve Grubb wrote:
Sure and that can be audited. We can also point out that this act takes
the system out of the certified configuration. So, if you need to be in
the CAPP certified configuration, don't let users do this.
To be CAPP certified, you can't have a web browser?
Not sure where you are going with this line of questions, but yes there are
console packages with utilities in the CAPP package set that could be used to
grab remote files.
I think the logical implication is that such a system would be
essentially useless these days. Do you value the ease of obtaining
some certification that will rarely/never be used enough to break things
for the vast majority of users.
> Curl, elinks, and ftp are a few I spotted during a quick
look. The admin would need to chmod those to prevent their unauthorized use or
take some other measure to protect the system to maintain their config.
Still sounds like a useless system to me. I could have kept my
typewriter if I wanted something that couldn't access a network.
The bottom line is that we aren't making shadow-utils setuid root so that
--help works. :)
You lost me there. What device/file with root-only access would
shadow-utils need to open to make --help work?
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
