Re: request: capabilities that allow users to drop privileges further

From: Chris Wright
Date: Mon Dec 15 2003 - 17:53:52 EST

Next message: Martin J. Bligh: "2.6.0-test11-mjb3"
Previous message: Vladimir Kondratiev: "Re: PCI Express support for 2.4 kernel"
In reply to: Christian Borntraeger: "Re: request: capabilities that allow users to drop privileges further"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Felix von Leitner (felix-kernel@xxxxxxx) wrote:
> I would like to be able to drop capabilities that every normal user has,
> so that network servers can limit the impact of possible future security
> problems further. For example, I want my non-cgi web server to be able
> to drop the capabilities to

Using existing capabilities system you can limit many of these. Just
dropping privs from uid = 0 to anything else is a good start.

> * fork

rlimit

> * execve

mount fs noexec

> * ptrace

drop CAP_SYS_PTRACE

> * load kernel modules

drop CAP_SYS_MODULE

> * mknod

drop CAP_MKNOD

> * write to the file system

mount fs r/o.

In general, most of what you ask for is already there. Otherwise use
some MAC policy that gives you the control you want (check out SELinux
for example).

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin J. Bligh: "2.6.0-test11-mjb3"
Previous message: Vladimir Kondratiev: "Re: PCI Express support for 2.4 kernel"
In reply to: Christian Borntraeger: "Re: request: capabilities that allow users to drop privileges further"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]