On Tue, Dec 21, 2010 at 10:37:44PM +0100, Miloslav Trmač wrote devel:
Colin Walters píše v Út 21. 12. 2010 v 11:47 -0500:
> "But they still have uid 0, which typical system installation allows
> root to do things. For example, /bin/sh is 0755 and /bin is also 0755
> perms. A disarmed root process can still trojan a system. But what if
> we got rid of all the read/write permissions for root?"
>
> So...right, "we can do these small changes, and then if we do this BIG
> CHANGE, it all works!". But this feature doesn't include BIG CHANGE,
> and there are no plans to, right?
No. The original plans didn't count with the fact that changing
permissions by owner does not require any capabilities either.
If an attacker were controlling a process running with uid 0 and no
capabilities at all, and /bin/sh were 0555, nothing prevents the
attacker from chmod()ing /bin/sh to 0755 and overwriting it. This makes
any attempts to change the file permissions rather pointless.
Ok, so who says that the files must be owned by root? Make them owned by
some other user -- say, bin? (or does that have another use that my
google search isn't coming up with?)