[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Lower Process Capabilities
- From: Tom Lane <tgl redhat com>
- To: Development discussions related to Fedora <fedora-devel-list redhat com>
- Subject: Re: Lower Process Capabilities
- Date: Sun, 26 Jul 2009 20:38:45 -0400
Steve Grubb <sgrubb redhat com> writes:
> The directory for /bin is 0755 root root. So, even if we drop all
> capabilities, the root acct can still trojan a system.
> If we change the bin directory to 005, then root cannot write to that
> directory unless it has the CAP_DAC_OVERRIDE capability.
I trust you meant to write 0555?
regards, tom lane
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]