Once upon a time, Steve Grubb <sgrubb@xxxxxxxxxx> said: > On Saturday 06 December 2008 00:55:24 Jesse Keating wrote: > > These are required to be this way for our Common Criteria evaluations. > > > > Is the thought here that if the code can be executed by a non-root user, > > the audit of the code would have to be far more strict? > > No, it has more to do with the fact that we have to audit all attempts to > modify trusted databases - in this case, shadow. No one can use these tools > since they do not have the permissions required to be successful. So, we > remove the ability to use these tools so that we don't have to audit it. > > IOW, if we open the permissions, we need to make these become setuid root so > that we send audit events saying they failed. Then later, Steve Grubb <sgrubb@xxxxxxxxxx> said: > > So "cat >> /etc/shadow" is audited? > > Of course. So cat will have to be setuid root so it can audit? What about echo, bash, perl, etc.? This is absurd. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
