Lower Process Capabilities
Steve Grubb
sgrubb at redhat.com
Mon Jul 27 00:54:26 UTC 2009
On Sunday 26 July 2009 08:38:45 pm Tom Lane wrote:
> Steve Grubb <sgrubb at redhat.com> writes:
> > The directory for /bin is 0755 root root. So, even if we drop all
> > capabilities, the root acct can still trojan a system.
> >
> > If we change the bin directory to 005, then root cannot write to that
> > directory unless it has the CAP_DAC_OVERRIDE capability.
>
> I trust you meant to write 0555?
No, I really mean 005 so that root daemons are using public permissions.
Admins of course have DAC_OVERRIDE and can do anything. Try the script in a VM
and tell me if there are any problems you see.
Thanks,
-Steve
More information about the devel
mailing list