Quoting Bill McGonigle (bill@xxxxxxxxxxxxxxxx): > On 07/26/2009 07:32 PM, Steve Grubb wrote: > > If we change the bin directory to 005, then root cannot write to that > > directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this > > project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, but > > to only allow it from logins or su/sudo. > > What mechanism do you use to segregate things like yum-cron that do > automatic security updates? > > Doesn't SELinux already support allowing non-root users to have access > to low-numbered ports? There's also authbind and packet mangling. We > have rsyslog rules for logfile writing now. > > Isn't it simpler to aim for not running daemons as root rather than > redefining what root means? heh, I agree - running them not as root, and with just the capabilities they need. What Steve is doing is a step toward that. (Then I disagree with the last part of your statement - eventually redefine root to be just another user who happens to own the hardware. pie in the sky, perhaps.) -serge -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
