>>>>> "HHvB" == Horst H von Brand <vonbrand@xxxxxxxxxxxx> writes: HHvB> One of the basic guidelines when securing a system is to keep it HHvB> as simple as possible, i.e., install only what is required, and HHvB> keep a strict control over what is happening. Anything else ends HHvB> with the sysadmin in a padded cell. As long as users have the ability to make their own programs (and this is REALLY hard to deny someone on Unix), you have lost that particular battle anyway. I have to say I really like the idea of letting non-root install software. Packages which do not touch anything in /etc and have no suid bits should be safe. Those rules do not cover all possible holes -- e.g. a package could have a file /bin/man which did nasty things, in the hope that someone privileged eventually reads a man page. Nevertheless, deliberately malicious packages should be stopped by the Fedora package review. /Benny -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
