[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Lower Process Capabilities



On Tuesday 28 July 2009 10:22:56 am Serge E. Hallyn wrote:
> > You can create an selinux context that is not allowed to exec, or only
> > allowed to exec certain things.  Or not allowed to connect to TCP
> > sockets.  Or pretty much anything else a normal user would otherwise be
> > allowed to do.
>
> This has little to do with what Steve is trying to do.

Right. All I am doing at this point is going over the daemons running as root 
and patching them to lower their capabilities. With libcap-ng, its generally 
2-3 lines of code.

As for directory perms...I'm still mulling it over. Changing perms on shadow 
and gshadow to 0000 should press forward, though.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]