I just wanted to point out something a lot of people may be missing,
and that is that once X is up and running, it is quite alright to
disable CAP_SYS_RAWIO
k5 /usr/src/lcap-0.0.3 # ./lcap -c -vv CAP_SYS_RAWIO
Current capabilities: 0xFFFFFFFF
17) *CAP_SYS_RAWIO
* = Capability currently allowed
k5 /usr/src/lcap-0.0.3 # ./lcap CAP_SYS_RAWIO
k5 /usr/src/lcap-0.0.3 # ./lcap
Current capabilities: 0xFFFDFFFF
0) *CAP_CHOWN 1) *CAP_DAC_OVERRIDE
2) *CAP_DAC_READ_SEARCH 3) *CAP_FOWNER
4) *CAP_FSETID 5) *CAP_KILL
6) *CAP_SETGID 7) *CAP_SETUID
8) *CAP_SETPCAP 9) *CAP_LINUX_IMMUTABLE
10) *CAP_NET_BIND_SERVICE 11) *CAP_NET_BROADCAST
12) *CAP_NET_ADMIN 13) *CAP_NET_RAW
14) *CAP_IPC_LOCK 15) *CAP_IPC_OWNER
16) *CAP_SYS_MODULE 17) CAP_SYS_RAWIO
18) *CAP_SYS_CHROOT 19) *CAP_SYS_PTRACE
20) *CAP_SYS_PACCT 21) *CAP_SYS_ADMIN
22) *CAP_SYS_BOOT 23) *CAP_SYS_NICE
24) *CAP_SYS_RESOURCE 25) *CAP_SYS_TIME
26) *CAP_SYS_TTY_CONFIG
* = Capabilities currently allowed
k5 /usr/src/lcap-0.0.3 #
[snip]
And X continues to run perfectly.
And then when I try to restart it:
Fatal server error:
xf86EnableIOPorts: Failed to set IOPL for I/O
[snip]
And now, of course, I can no longer start X until a reboot.
Capabilities are a splendid feature which needs to be more widely used
on Linux servers in my opinion. It has the potential to be a very
popular feature if properly applied.
(Just a little fact that people following the security discussion from
afar may have missed because it is not being mentioned.)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:15 EST