Lower Process Capabilities
Serge E. Hallyn
serue at us.ibm.com
Fri Aug 14 22:05:06 UTC 2009
Quoting Steve Grubb (sgrubb at redhat.com):
> On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote:
> > What can be done is that we program the application to drop some of the
> > capabilities so that its not all powerful. There's just one flaw in this
> > plan. The directory for /bin is 0755 root root. So, even if we drop all
> > capabilities, the root acct can still trojan a system.
> >
> > If we change the bin directory to 005, then root cannot write to that
> > directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
> > project is to not allow network facing or daemons have CAP_DAC_OVERRIDE,
> > but to only allow it from logins or su/sudo.
>
> As discussed at the Fesco meeting last week, the lower process capabilities
> project is going to reduce the scope of this part of the proposal. At this
> point, we are going to tighten up perms on the directories in $PATH, /lib[64],
> /boot, and /root.
>
> A sample srpm can be found here for anyone wanting to try it out before alpha
> is unfrozen.
>
> http://people.redhat.com/sgrubb/files/filesystem-2.4.24-1.fc12.src.rpm
>
> Any feedback would be appreciated.
Hi Steve,
downloading and looking at filesystem.spec in the above rpm, I don't
see any special treatment for boot, root, or /lib.... Is the right
rpm at that link? If so, then I must be misunderstanding - can you
give me a diff or something to explain how it's supposed to work?
thanks,
-serge
More information about the devel
mailing list