On Mon, 20 Jan 2003 01:43, Christoph Hellwig wrote:
> On Mon, Jan 20, 2003 at 01:39:39AM +0100, Russell Coker wrote:
> > > What's the reason you can't just live with DAC for sysctls?
> >
> > What exactly do you mean by "live with DAC" in this context? If you mean
> > "allow UID==0 processes to do whatever they like" then it's not going to
> > work for any sort of chroot setup.
>
> This means check the unix file permissions / ACLs only overriden by
> CAP_FOWNER processes.
I don't think that would do for my chroot environments. I want to have root
owned processes running in a chroot with no ability to escape or to affect
the outside environment (and proc is mounted in the chroot).
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Jan 23 2003 - 22:00:22 EST