On Mon, 17 Dec 2007 16:05:31 +0300 Al Boldi <a1426z@xxxxxxxxx> wrote: > Indan Zupancic wrote: > > On Mon, December 17, 2007 01:40, Tetsuo Handa wrote: > > I think you can better spend your time on read-only bind mounts. > > That would be too coarse. > Actually, who needs to create device nodes? Just prohibit everyone from creating them, except "installer" and "udev" personality. This means removing CAP_MKNOD on a global scale. (OTOH, both don't need CAP_SYS_ADMIN. Maybe udev needs CAP_SYS_MODULE...) Now, stopping people from faking hotplug events is totally another story. Is that currently possible?
Attachment:
signature.asc
Description: PGP signature
