On Sun, 2004-10-03 at 10:37 -0700, Steve G wrote: > OK, this sounds like just changing where a daemon writes the pid file instead of > re-writing the code so fchown isn't called. Good. Right. > >> There are only 3 daemons that I can think of that need to be root: > >>sshd, xinetd, crond. > > > >It can be a very significant amount of work to change a daemon to run as > >non-root, like dhcpcd. > > Right. However, I think in the long term, you want to get as many converted as > possible. That adds 1 more layer of protection just in case someone figures out a > hole in se linux. True. But you have to weigh the effort involved in that versus other security threats, and I don't think in a lot of these cases it's worth it. > >There's still the general problem with discretionary access control here > >too - A simple misconfiguration in for one of the daemons before it > >drops root privileges could cause it to overwrite the pid file for > >another daemon, violating the system security policy. > > I haven't seen this, you'd have to code an exploit just for it. I'm not talking about an exploit; a system administrator could accidentally overwrite e.g. the <pidfile> section of /etc/dbus/system.conf when pasting in configuration from elsewhere. SELinux will prevent the configuration error from damaging the rest of the system. > I'm not against the proposal. I think it helps. I just want to try to air some of > the details so more people understand what's be proposed. Makes sense.
Description: This is a digitally signed message part