On Wed, 2004-04-21 at 15:33, Colin Walters wrote: > Ok, that all makes sense. Why not then just use getpwuid(getuid()) > instead of getpwnam? > > Hm, although I see one reason - on a SELinux system where "su" is not > modified, and a normal user with their own SELinux user identity uses > "su" to become uid 0, then uses newrole, they'd be prompted for the root > password instead of their password. > > However for Fedora where we've modified "su", this is not an issue. I'd rather move away from asking for a password at all in newrole, and substitute some other user confirmation mechanism (one that doesn't risk exposure of a secret). > Yeah. It seems there is some work in this area going on: > http://shellcode.org/Kernel/tpe/ TPE is _not_ related to the classical notion of trusted path at all. Type Enforcement is a better mechanism for providing the equivalent functionality of TPE. Trusted path is described in the latter part of http://www.nsa.gov/selinux/papers/inevitability/#2 , among other places. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
