Re: request: capabilities that allow users to drop privileges further
From: Chris Wright
Date: Mon Dec 15 2003 - 17:53:52 EST
* Felix von Leitner (felix-kernel@xxxxxxx) wrote:
> I would like to be able to drop capabilities that every normal user has,
> so that network servers can limit the impact of possible future security
> problems further. For example, I want my non-cgi web server to be able
> to drop the capabilities to
Using existing capabilities system you can limit many of these. Just
dropping privs from uid = 0 to anything else is a good start.
> * fork
rlimit
> * execve
mount fs noexec
> * ptrace
drop CAP_SYS_PTRACE
> * load kernel modules
drop CAP_SYS_MODULE
> * mknod
drop CAP_MKNOD
> * write to the file system
mount fs r/o.
In general, most of what you ask for is already there. Otherwise use
some MAC policy that gives you the control you want (check out SELinux
for example).
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/