[redhat-lspp] I am getting lots of push back on devallocator.
George Wilson
gcwilson at us.ibm.com
Fri Jul 14 18:28:46 UTC 2006
redhat-lspp-bounces at redhat.com wrote on 07/14/2006 12:37:29:
> On Fri, Jul 14, 2006 at 01:17:28PM -0400, Daniel J Walsh wrote:
> > Internal Red Hat people are interested if we can do this another way
> > without introducing a new SUID application.
> >
> > Could someone spell out the exact requirements, that devallocator is
> > trying to solve?
>
> I'm a bit confused also. I thought it was intended to help administrators
> define labels for printer devices, and tools run by administrators don't
> need to be SUID.
>
> I just looked at the code, and some of its features such as relabeling
> floppy and CD-ROM devices should definitely *not* be accessible to
> non-admin users via a SUID application, at least not in an evaluated
> config. It also has many override capabilities in its policy, are those
> all really necessary? I think it would be preferable to require that an
> admin runs it who has the necessary privileges already, instead of having
> the tool grant them.
>
> -Klaus
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
It is to allow a user to allocate a printer for exclusive use. Because
relabeling is a privileged operation, we need an intermediary to do the
work on the user's behalf. There is TSOL documentation that describes
device allocation procedures in their environment:
http://docs.sun.com/app/docs/doc/816-4557/6maosrjd8?a=view
and
http://docs.sun.com/app/docs/doc/816-4557/6maosrjdk?a=view
Thanks,
George Wilson
IBM LTC Security Development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20060714/a3ef22b0/attachment.htm>
More information about the redhat-lspp
mailing list