Re: Lower Process Capabilities

[Steve Grubb <sgrubb redhat com>]

On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote:
> What can be done is that we program the application to drop some of the
> capabilities so that its not all powerful. There's just one flaw in this
> plan. The directory for /bin is 0755 root root. So, even if we drop all
> capabilities, the root acct can still trojan a system.
>
> If we change the bin directory to 005, then root cannot write to that
> directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this
> project is to not allow network facing or daemons have CAP_DAC_OVERRIDE,
> but to only allow it from logins or su/sudo.

As discussed at the Fesco meeting last week, the lower process capabilities 
project is going to reduce the scope of this part of the proposal. At this 
point, we are going to tighten up perms on the directories in $PATH, /lib[64], 
/boot, and /root.

A sample srpm can be found here for anyone wanting to try it out before alpha 
is unfrozen.

http://people.redhat.com/sgrubb/files/filesystem-2.4.24-1.fc12.src.rpm

Any feedback would be appreciated.

-Steve