Re: Bits from the release team: the plans for etch
Stephen Frost <sfrost@snowman.net> writes:
> * Thomas Bushnell BSG (tb@becket.net) wrote:
>> Stephen Frost <sfrost@snowman.net> writes:
>> > By knowing what the package uses the user for. This is somewhat akin to
>> > the PostgreSQL package's question "do you want your data files to be
>> > purged upon package removal", or the fact that the default Postgres
>> > installation uses ident and the 'postgres' user is the superuser for the
>> > database (meaning you're going to be su'ing to postgres probably a fair
>> > bit).
>>
>> How do you know that the system administrator hasn't chowned a file to
>> that UID?
>
> Same way you know that the system administrator hasn't modified a file
> in /usr/bin.
Um, I know that by comparing the contents against a known-true
version. How do I detect whether the system administrator has used a
UID?
Moreover, the consequences of getting the one wrong are that you
delete the sysadmin's changes. The consequences of the other are an
important and difficult-to-detect security hole.
Thomas
Reply to: