Lower Process Capabilities
Bill McGonigle
bill at bfccomputing.com
Tue Jul 28 19:06:17 UTC 2009
On 07/26/2009 07:32 PM, Steve Grubb wrote:
> If we change the bin directory to 005, then root cannot write to that
> directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
> project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but
> to only allow it from logins or su/sudo.
What mechanism do you use to segregate things like yum-cron that do
automatic security updates?
Doesn't SELinux already support allowing non-root users to have access
to low-numbered ports? There's also authbind and packet mangling. We
have rsyslog rules for logfile writing now.
Isn't it simpler to aim for not running daemons as root rather than
redefining what root means?
-Bill
--
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
http://www.bfccomputing.com/ Cell: 603.252.2606
Twitter, etc.: bill_mcgonigle Page: 603.442.1833
Email, IM, VOIP: bill at bfccomputing.com
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the fedora-devel-list
mailing list