ssh -l root getting context staff_t is pointless
Alexandre Oliva
aoliva at redhat.com
Sun Apr 4 07:05:45 UTC 2004
I read previous discussions about it here. The argument IIRC is that
making the default context staff_t adds a little bit of security.
IMHO, it adds no security whatsoever, since
`ssh -l root hostname -t su -' gets you to sysadm_r without asking for
a password. So how about changing the default policy such that ssh
selects sysadm_r by default, which should minimize the inconvenience
without really losing anything in terms of security?
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}
More information about the fedora-selinux-list
mailing list