Correct me if I'm wrong but... Even though any admin can be root:wheel if they want, they still have to su or sudo to do so. In my opinion this is a safety net against accidental kext modification. As with any mucking about in the kernel level, you needa be really sure what your doing. So I have no problems with more protections against modifying kext's. Corey O'Connor DogHeadBone LLC http://www.dogheadbone.com On Nov 18, 2003, at 3:00 AM, Stiphane Sudre wrote: On Monday, November 17, 2003, at 11:43 PM, Jim Magee wrote: And this brings up back to the suggestion that you use ipfw - because it was specifically designed to reflect this kind of traffic out to user-space. That is, if you are going to use anything on these machines at all (instead of just using a proxy server on your network as others have suggested). The argument that any admin user could change the firewall rules doesn't really hold water. They can remove your kext as well. This is why I'm still wondering why a kext needs to be root:wheel 644/755 and not just root:admin 644/755 when any admin user can be root:wheel if he wants and when he wants. I still don't understand this modification introduced in 10.2. _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored. _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.