[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities

On 07/26/2009 07:32 PM, Steve Grubb wrote:
> If we change the bin directory to 005, then root cannot write to that 
> directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this 
> project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but 
> to only allow it from logins or su/sudo.

What mechanism do you use to segregate things like yum-cron that do
automatic security updates?

Doesn't SELinux already support allowing non-root users to have access
to low-numbered ports?  There's also authbind and packet mangling.  We
have rsyslog rules for logfile writing now.

Isn't it simpler to aim for not running daemons as root rather than
redefining what root means?


Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
http://www.bfccomputing.com/    Cell: 603.252.2606
Twitter, etc.: bill_mcgonigle   Page: 603.442.1833
Email, IM, VOIP: bill bfccomputing com
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]