On Sunday 26 July 2009 08:38:45 pm Tom Lane wrote: > Steve Grubb <sgrubb@xxxxxxxxxx> writes: > > The directory for /bin is 0755 root root. So, even if we drop all > > capabilities, the root acct can still trojan a system. > > > > If we change the bin directory to 005, then root cannot write to that > > directory unless it has the CAP_DAC_OVERRIDE capability. > > I trust you meant to write 0555? No, I really mean 005 so that root daemons are using public permissions. Admins of course have DAC_OVERRIDE and can do anything. Try the script in a VM and tell me if there are any problems you see. Thanks, -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
