On Wed, 2012-05-23 at 14:22 -0400, Paul Wouters wrote:
> I just got caught in having two different "validate" commands in my
> path.
>
> The /usr/bin/validate version is from the dnssec-tools package. It has a
> man page and usage info and is a tool to diagnose dnssec lookups.
>
> The /usr/sbin/validate version is from the mod_auth_shadow package. It
> has no man page, no usage, no -h or --help. It is executed by the apache
> server to read /etc/shadow to do user auth. It is setuid root, and not
> meant to be executed by a user.
>
> I suggest moving /usr/sbin/validator into /usr/libexec, and probably
> talking to Dan Walsh about using SElinux to further restrict it so it
> cannot be executed by users or cgis.
We're (sort of) trying to phase out /usr/libexec in favor of
%{_libdir}/%{name}/foo, but otherwise that sounds good.
- ajax
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
