[Server-devel] /etc/xs-sigchecks-enabled

Douglas Bagnall douglas at paradise.net.nz
Thu Nov 6 18:45:04 EST 2008

>> By default, the xs-check script errors if the flag is not there; you
>> need to use the --tolerate-nosigs option to get the 'you can do
>> anything' behaviour.
> I had to read up on xs-check - it's just a simpler friend of xs-sum .
> Would it not be easier and less suprising if both tools had the same
> behaviour? We can define that the general concept is that
>  if -e /etc/xs-security-on or "--strict" is passed then be strict,
>  otherwise just check consistency if relevant (xs-sum)

Aha, what I have just implemented differs from this just slightly (due
to me not reading/remembering properly): --strict causes xs-sum and
xs-check to error if the flag is not set, regardless of any known
keys.  The way you describe is better.

I'm not near a school server, so I haven't been able to test the
xs-tools usbmount script.  It should be allowing a once-only trusted
import of keys, then disallowing imports unless they are signed and
security is on.


More information about the Server-devel mailing list