2009/11/4 Kevin Kofler <kevin.kofler@xxxxxxxxx>:
> Richard June wrote:
>> It's a good idea for one off jobs where the primary user is also the
>> admin, but not so good for shared systems. Personally I think a better
>> plan would be to display that information *only* if the user is
>> flagged as an administrator, group root, wheel, etc.
> It's actually a security risk to display this to non-admin users. It's like
> putting a sticker on your door saying "This door is not locked because my
> keyhole is not working."
Well, in this case you're posting it on the *inside* of your door. :)
If someone has shell access, they can always run "foo --version", so I
don't think this introduces any security risks that aren't already
posed by someone having a shell on your server.
McGill University IT Security
fedora-devel-list mailing list