More PATH fallout. Who decided this was a good idea?
Les Mikesell
lesmikesell at gmail.com
Sat Dec 6 21:18:59 UTC 2008
Steve Grubb wrote:
>
>>> Sure and that can be audited. We can also point out that this act takes
>>> the system out of the certified configuration. So, if you need to be in
>>> the CAPP certified configuration, don't let users do this.
>> To be CAPP certified, you can't have a web browser?
>
> Not sure where you are going with this line of questions, but yes there are
> console packages with utilities in the CAPP package set that could be used to
> grab remote files.
I think the logical implication is that such a system would be
essentially useless these days. Do you value the ease of obtaining
some certification that will rarely/never be used enough to break things
for the vast majority of users.
> Curl, elinks, and ftp are a few I spotted during a quick
> look. The admin would need to chmod those to prevent their unauthorized use or
> take some other measure to protect the system to maintain their config.
Still sounds like a useless system to me. I could have kept my
typewriter if I wanted something that couldn't access a network.
> The bottom line is that we aren't making shadow-utils setuid root so that
> --help works. :)
You lost me there. What device/file with root-only access would
shadow-utils need to open to make --help work?
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-devel-list
mailing list