On Sunday 26 July 2009 08:38:45 pm Tom Lane wrote:
Steve Grubb <sgrubb(a)redhat.com> writes:
> The directory for /bin is 0755 root root. So, even if we drop all
> capabilities, the root acct can still trojan a system.
>
> If we change the bin directory to 005, then root cannot write to that
> directory unless it has the CAP_DAC_OVERRIDE capability.
I trust you meant to write 0555?
No, I really mean 005 so that root daemons are using public permissions.
Admins of course have DAC_OVERRIDE and can do anything. Try the script in a VM
and tell me if there are any problems you see.
Thanks,
-Steve