Miroslav Lichvar (mlichvar@xxxxxxxxxx) said: > > The entire idea of utempter is so that the terminal *doesn't* need to be > > setgid - if it's setgid, what's the point of a helper? > > Well, the terminal doesn't need to be setgid utmp, but only utempter. > Setgid utempter allows only adding/removing entries in utmp while > setgid utmp allows unrestricted access. Only if it's coded wrong (doesn't drop privs, etc.). By adding a setgid to the binary, you're making the point of separating it merely a code-sharing issue, as opposed to any huge security gains. I'd remove the block on the directory - basically, you're intentionally breaking user's environments for illusory security. Bill -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
