Quoting Steve Grubb (sgrubb@xxxxxxxxxx): > On Sunday 26 July 2009 07:32:36 pm Steve Grubb wrote: > > What can be done is that we program the application to drop some of the > > capabilities so that its not all powerful. There's just one flaw in this > > plan. The directory for /bin is 0755 root root. So, even if we drop all > > capabilities, the root acct can still trojan a system. > > > > If we change the bin directory to 005, then root cannot write to that > > directory unless it has the CAP_DAC_OVERRIDE capability. The idea with this > > project is to not allow network facing or daemons have CAP_DAC_OVERRIDE, > > but to only allow it from logins or su/sudo. > > As discussed at the Fesco meeting last week, the lower process capabilities > project is going to reduce the scope of this part of the proposal. At this > point, we are going to tighten up perms on the directories in $PATH, /lib[64], > /boot, and /root. > > A sample srpm can be found here for anyone wanting to try it out before alpha > is unfrozen. > > http://people.redhat.com/sgrubb/files/filesystem-2.4.24-1.fc12.src.rpm > > Any feedback would be appreciated. Hi Steve, downloading and looking at filesystem.spec in the above rpm, I don't see any special treatment for boot, root, or /lib.... Is the right rpm at that link? If so, then I must be misunderstanding - can you give me a diff or something to explain how it's supposed to work? thanks, -serge -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
