[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



Quoting Bill McGonigle (bill bfccomputing com):
> On 07/26/2009 07:32 PM, Steve Grubb wrote:
> > If we change the bin directory to 005, then root cannot write to that 
> > directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this 
> > project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but 
> > to only allow it from logins or su/sudo.
> 
> What mechanism do you use to segregate things like yum-cron that do
> automatic security updates?
> 
> Doesn't SELinux already support allowing non-root users to have access
> to low-numbered ports?  There's also authbind and packet mangling.  We
> have rsyslog rules for logfile writing now.
> 
> Isn't it simpler to aim for not running daemons as root rather than
> redefining what root means?

heh, I agree - running them not as root, and with just the capabilities
they need.  What Steve is doing is a step toward that.

(Then I disagree with the last part of your statement - eventually redefine
root to be just another user who happens to own the hardware.  pie in the sky,
perhaps.)

-serge


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]