On 07/26/2009 07:32 PM, Steve Grubb wrote: > If we change the bin directory to 005, then root cannot write to that > directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this > project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but > to only allow it from logins or su/sudo. What mechanism do you use to segregate things like yum-cron that do automatic security updates? Doesn't SELinux already support allowing non-root users to have access to low-numbered ports? There's also authbind and packet mangling. We have rsyslog rules for logfile writing now. Isn't it simpler to aim for not running daemons as root rather than redefining what root means? -Bill -- Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 http://www.bfccomputing.com/ Cell: 603.252.2606 Twitter, etc.: bill_mcgonigle Page: 603.442.1833 Email, IM, VOIP: bill@xxxxxxxxxxxxxxxx Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
