[Split off] Re: Kernel Extensions
[Split off] Re: Kernel Extensions
- Subject: [Split off] Re: Kernel Extensions
- From: Peter Bierman <email@hidden>
- Date: Tue, 18 Nov 2003 13:04:38 -0800
At 12:00 PM +0100 11/18/03, Stiphane Sudre wrote:
On Monday, November 17, 2003, at 11:43 PM, Jim Magee wrote:
And this brings up back to the suggestion that
you use ipfw - because it was specifically
designed to reflect this kind of traffic out to
user-space. That is, if you are going to use
anything on these machines at all (instead of
just using a proxy server on your network as
others have suggested). The argument that any
admin user could change the firewall rules
doesn't really hold water. They can remove
your kext as well.
This is why I'm still wondering why a kext needs
to be root:wheel 644/755 and not just root:admin
644/755 when any admin user can be root:wheel if
he wants and when he wants.
I still don't understand this modification introduced in 10.2.
Admins are allowed to become root as a matter of policy, not equivalency.
This is the default policy provided by Apple, but
end users and sysadmins are able to change this
policy if they like. Most of the mechanisms that
elevate admins to root go through the Security
framework, which regulates this via the
/etc/authorization file. The ones that don't are
probably bugs.
So to answer your question, the reason is to
allow the distinction to be made, even if the
default config doesn't make it.
-pmb
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.