RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)
Henrik Nordström
henrik at henriknordstrom.net
Thu Dec 23 00:04:48 UTC 2010
ons 2010-12-22 klockan 00:59 +0100 skrev Miloslav Trmač:
> This is possible, but it would be a much larger change to the system.
> To take a particular example, look at /etc/shadow.
>
> It needs to be protected against attackers, so it should not be owned by
> root - let's make it owned by "adm", say.
Imho in that specific case it should be protected by two group acls. One
group for writing/modifying, another for reading.
No need for capabilities at all, just setgroupid and file acls. shadow
have no special significance to kernel functions.
Regards
Henrik
More information about the devel
mailing list