Lower Process Capabilities
Serge E. Hallyn
serue at us.ibm.com
Tue Jul 28 19:14:02 UTC 2009
Quoting Bill McGonigle (bill at bfccomputing.com):
> On 07/26/2009 07:32 PM, Steve Grubb wrote:
> > If we change the bin directory to 005, then root cannot write to that
> > directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
> > project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but
> > to only allow it from logins or su/sudo.
>
> What mechanism do you use to segregate things like yum-cron that do
> automatic security updates?
>
> Doesn't SELinux already support allowing non-root users to have access
> to low-numbered ports? There's also authbind and packet mangling. We
> have rsyslog rules for logfile writing now.
>
> Isn't it simpler to aim for not running daemons as root rather than
> redefining what root means?
heh, I agree - running them not as root, and with just the capabilities
they need. What Steve is doing is a step toward that.
(Then I disagree with the last part of your statement - eventually redefine
root to be just another user who happens to own the hardware. pie in the sky,
perhaps.)
-serge
More information about the fedora-devel-list
mailing list