[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



On Sunday 26 July 2009 08:38:45 pm Tom Lane wrote:
> Steve Grubb <sgrubb redhat com> writes:
> > The directory for /bin is 0755 root root. So, even if we drop all
> > capabilities, the root acct can still trojan a system.
> >
> > If we change the bin directory to 005, then root cannot write to that
> > directory unless it has the CAP_DAC_OVERRIDE capability.
>
> I trust you meant to write 0555?

No, I really mean 005 so that root daemons are using public permissions. 
Admins of course have DAC_OVERRIDE and can do anything. Try the script in a VM 
and tell me if there are any problems you see.

Thanks,
-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]