Lower Process Capabilities

Serge E. Hallyn serue at us.ibm.com
Fri Aug 14 22:05:06 UTC 2009


Quoting Steve Grubb (sgrubb at redhat.com):
> On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote:
> > What can be done is that we program the application to drop some of the
> > capabilities so that its not all powerful. There's just one flaw in this
> > plan. The directory for /bin is 0755 root root. So, even if we drop all
> > capabilities, the root acct can still trojan a system.
> >
> > If we change the bin directory to 005, then root cannot write to that
> > directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
> > project is to not allow network facing or daemons have CAP_DAC_OVERRIDE,
> > but to only allow it from logins or su/sudo.
> 
> As discussed at the Fesco meeting last week, the lower process capabilities 
> project is going to reduce the scope of this part of the proposal. At this 
> point, we are going to tighten up perms on the directories in $PATH, /lib[64], 
> /boot, and /root.
> 
> A sample srpm can be found here for anyone wanting to try it out before alpha 
> is unfrozen.
> 
> http://people.redhat.com/sgrubb/files/filesystem-2.4.24-1.fc12.src.rpm
> 
> Any feedback would be appreciated.

Hi Steve,

downloading and looking at filesystem.spec in the above rpm, I don't
see any special treatment for boot, root, or /lib....  Is the right
rpm at that link?  If so, then I must be misunderstanding - can you
give me a diff or something to explain how it's supposed to work?

thanks,
-serge




More information about the devel mailing list