[Server-devel] /etc/xs-sigchecks-enabled
Douglas Bagnall
douglas at paradise.net.nz
Thu Nov 6 18:45:04 EST 2008
>> By default, the xs-check script errors if the flag is not there; you
>> need to use the --tolerate-nosigs option to get the 'you can do
>> anything' behaviour.
>
> I had to read up on xs-check - it's just a simpler friend of xs-sum .
> Would it not be easier and less suprising if both tools had the same
> behaviour? We can define that the general concept is that
>
> if -e /etc/xs-security-on or "--strict" is passed then be strict,
> otherwise just check consistency if relevant (xs-sum)
Aha, what I have just implemented differs from this just slightly (due
to me not reading/remembering properly): --strict causes xs-sum and
xs-check to error if the flag is not set, regardless of any known
keys. The way you describe is better.
I'm not near a school server, so I haven't been able to test the
xs-tools usbmount script. It should be allowing a once-only trusted
import of keys, then disallowing imports unless they are signed and
security is on.
Douglas
More information about the Server-devel
mailing list