More PATH fallout. Who decided this was a good idea?

Miloslav Trmač mitr at volny.cz
Sun Dec 7 23:09:24 UTC 2008


Jesse Keating píše v Ne 07. 12. 2008 v 15:05 -0800:
> On Mon, 2008-12-08 at 10:03 +1100, Andrew Bartlett wrote:
> > 
> > Perhaps I'm a bit slow this morning, but vipw is forbidden but
> > vi /etc/passwd isn't?
> 
> I think he means "forbidden by policy" in which using anything /but/ the
> audit-able tools is "forbidden by policy".  If you're expecting
> everybody to follow policy, why not just set policy that says "don't
> hack this box".  That'll work right?
Violations of "don't hack this box" don't generate audit messages that
can be manually examined for actual intrusions.  Violations of "don't
access /etc/shadow manually" do.
	Mirek




More information about the fedora-devel-list mailing list