On 07/26/2009 07:32 PM, Steve Grubb wrote:
If we change the bin directory to 005, then root cannot write to that
directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but
to only allow it from logins or su/sudo.
What mechanism do you use to segregate things like yum-cron that do
automatic security updates?
Doesn't SELinux already support allowing non-root users to have access
to low-numbered ports? There's also authbind and packet mangling. We
have rsyslog rules for logfile writing now.
Isn't it simpler to aim for not running daemons as root rather than
redefining what root means?
-Bill
--
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
http://www.bfccomputing.com/ Cell: 603.252.2606
Twitter, etc.: bill_mcgonigle Page: 603.442.1833
Email, IM, VOIP: bill(a)bfccomputing.com
Blog:
http://blog.bfccomputing.com/
VCard:
http://bfccomputing.com/vcard/bill.vcf