Quoting Bill McGonigle (bill(a)bfccomputing.com):
On 07/26/2009 07:32 PM, Steve Grubb wrote:
> If we change the bin directory to 005, then root cannot write to that
> directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
> project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but
> to only allow it from logins or su/sudo.
What mechanism do you use to segregate things like yum-cron that do
automatic security updates?
Doesn't SELinux already support allowing non-root users to have access
to low-numbered ports? There's also authbind and packet mangling. We
have rsyslog rules for logfile writing now.
Isn't it simpler to aim for not running daemons as root rather than
redefining what root means?
heh, I agree - running them not as root, and with just the capabilities
they need. What Steve is doing is a step toward that.
(Then I disagree with the last part of your statement - eventually redefine
root to be just another user who happens to own the hardware. pie in the sky,
perhaps.)
-serge