[oi-dev] glib changes review

Alexander Pyhalov alp at rsu.ru
Fri Mar 11 12:43:36 UTC 2016

On 03/11/2016 15:18, Peter Tribble wrote:
> On Fri, Mar 11, 2016 at 12:03 PM, Alexander Pyhalov <alp at rsu.ru> wrote:
> The problem I see with using pfexec is that bad things happen if the user
> has some other profiles or privileges, so you end up giving those programs
> rights they don't need. For example, if the user is Primary Administrator
> then pfexec usually equates to "run as root", which probably isn't what you
> intend. Generally, using pfexec assumes that the program being run is
> privilege aware (so it can drop any unexpected privileges).

I see this, but don't have good answer besides writing in the docs 
"Don't use Primary Administrator profile".

The issue is that we want to give these programs sys_devices priveleges. 
Is there good way to do this without using pfexec?
"pfexec -P sys_devices something" doesn't seem to work.

Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

More information about the oi-dev mailing list