[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: More PATH fallout. Who decided this was a good idea?



Steve Grubb wrote:

Sure and that can be audited. We can also point out that this act takes
the system out of the certified configuration. So, if you need to be in
the CAPP certified configuration, don't let users do this.
To be CAPP certified, you can't have a web browser?

Not sure where you are going with this line of questions, but yes there are console packages with utilities in the CAPP package set that could be used to grab remote files.

I think the logical implication is that such a system would be essentially useless these days. Do you value the ease of obtaining some certification that will rarely/never be used enough to break things for the vast majority of users.

> Curl, elinks, and ftp are a few I spotted during a quick
look. The admin would need to chmod those to prevent their unauthorized use or take some other measure to protect the system to maintain their config.

Still sounds like a useless system to me. I could have kept my typewriter if I wanted something that couldn't access a network.

The bottom line is that we aren't making shadow-utils setuid root so that
--help works.  :)

You lost me there. What device/file with root-only access would shadow-utils need to open to make --help work?

--
  Les Mikesell
   lesmikesell gmail com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]