Re: Lower Process Capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Steve Grubb (sgrubb@xxxxxxxxxx):
> On Sunday 26 July 2009 08:54:26 pm Steve Grubb wrote:
> > > I trust you meant to write 0555?
> >
> > No, I really mean 005 so that root daemons are using public permissions.
> > Admins of course have DAC_OVERRIDE and can do anything. Try the script in a
> > VM and tell me if there are any problems you see.
> 
> I should elaborate more. The issue is that sometimes there are secrets that 
> root admins have access to that should not be available to semi-trusted 
> daemons. For example, any private keys in /root or /etc. You do not want any 
> daemon that could be compromised to have access to these. So, its safest just 
> to set the permissions to 0005 so that they have no access to /root.

But 0555 will also prevent root without CAP_DAC_OVERRIDE from writing, no?
Using 0005 will mean root also needs CAP_DAC_OVERRIDE to read/execute, which
seems a bit much.  Suddenly it needs extra privilege if i just want it to
be able to execute /bin/date.  That actually seems less secure in any real
system.

> I expect a few corner cases, but other than /etc/resolve.conf I don't know of 
> any problems.
> 
> -Steve
> 
> -- 
> fedora-devel-list mailing list
> fedora-devel-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-devel-list

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux