At 12:00 PM +0100 11/18/03, Stiphane Sudre wrote: On Monday, November 17, 2003, at 11:43 PM, Jim Magee wrote: And this brings up back to the suggestion that you use ipfw - because it was specifically designed to reflect this kind of traffic out to user-space. That is, if you are going to use anything on these machines at all (instead of just using a proxy server on your network as others have suggested). The argument that any admin user could change the firewall rules doesn't really hold water. They can remove your kext as well. This is why I'm still wondering why a kext needs to be root:wheel 644/755 and not just root:admin 644/755 when any admin user can be root:wheel if he wants and when he wants. I still don't understand this modification introduced in 10.2. Admins are allowed to become root as a matter of policy, not equivalency. This is the default policy provided by Apple, but end users and sysadmins are able to change this policy if they like. Most of the mechanisms that elevate admins to root go through the Security framework, which regulates this via the /etc/authorization file. The ones that don't are probably bugs. So to answer your question, the reason is to allow the distinction to be made, even if the default config doesn't make it. -pmb _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.