Lower Process Capabilities
Steve Grubb
sgrubb at redhat.com
Thu Aug 13 20:26:44 UTC 2009
On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote:
> What can be done is that we program the application to drop some of the
> capabilities so that its not all powerful. There's just one flaw in this
> plan. The directory for /bin is 0755 root root. So, even if we drop all
> capabilities, the root acct can still trojan a system.
>
> If we change the bin directory to 005, then root cannot write to that
> directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
> project is to not allow network facing or daemons have CAP_DAC_OVERRIDE,
> but to only allow it from logins or su/sudo.
As discussed at the Fesco meeting last week, the lower process capabilities
project is going to reduce the scope of this part of the proposal. At this
point, we are going to tighten up perms on the directories in $PATH, /lib[64],
/boot, and /root.
A sample srpm can be found here for anyone wanting to try it out before alpha
is unfrozen.
http://people.redhat.com/sgrubb/files/filesystem-2.4.24-1.fc12.src.rpm
Any feedback would be appreciated.
-Steve
More information about the fedora-devel-list
mailing list