On Monday 03 October 2005 10:03, Stephen Smalley wrote: to Our experiance with helper programs was that they are not very helpful from an assurance perspective. Sure, you isolate the priviliged code, but you still have to demonstrate that the unprivileged program that invokes it does so correctly. In this case you still have to trust newrole, even though it isn't setuid, because it would invoke a helper that is. Steve's suggestion that he'll use capabilities to reduce the exposure is very sensible. ------------------------ Casey Schaufler casey(a)schaufler-ca.com 650.906.1780