On Sunday 07 December 2008 11:31:54 Enrico Scholz wrote: > Both 'vipw' and 'ldapadd' are official and documented tools to manage > user database. vipw I believe is forbidden due to its ability to circumvent auditing of user- subject binding. ldap is not part of the evaluation. However, we could certainly extend the auditing to other programs if we wanted to. Nothing is preventing this except someone having the time to do it. If you wanted to add auditing, I'm all for it and don't mind helping where I can. > > The utilities that would allow you to modify it cannot be accessed > > unless you are root. > > Sounds like "when the algorithm is hidden, the crypto mechanism is > secure"... I wouldn't characterize it like that. It means that you have established proceedures that ensure the Security Objectives are met. As for crypto, the unprivileged user has access to passwd and that does crypto for them. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
