Re: Minimizing the number of "setuid root" daemons
From: Sundial Services (info_ns5@sundialservices.com)
Date: 12/15/02
- Previous message: Vlad T: "Re: Port 6667 ?????????"
- In reply to: Tim Haynes: "Re: Minimizing the number of "setuid root" daemons"
- Next in thread: Juha Laiho: "Re: Minimizing the number of "setuid root" daemons"
- Reply: Juha Laiho: "Re: Minimizing the number of "setuid root" daemons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Sundial Services <info_ns5@sundialservices.com> Date: Sat, 14 Dec 2002 22:22:06 -0700
Tim Haynes wrote:
>> AFAIK PAM is a set of libraries being used at login while the process is
>> still runing as root. How does that relate to daemons?
>
> Unless the OP is thinking of a multiplicity of services requiring user-
> authentication, I'm not sure it does.
>
> Instead, I'd recommend some of the GRSecurity patches (stopping members of
> certain groups from establishing client or server sockets in the kernel)
> and some ACL-providing patches that also allow non-root users to bind to
> low port#s, although the latter is unnecessary if you just DNAT to a high
> port instead.
Yes, I am mistaken about the applicability of PAM to this situation.
What I /want/ is to be able to define flexible security-rules that would
allow me to specify exactly what a particular privileged program can and
cannot do. For example, "mail" might need to open Mail directories in
various places but I'd like to specify a regular-expression governing
exactly what files it may open and so on.
- Next message: Luke Vogel: "Re: Port 6667 ?????????"
- Previous message: Vlad T: "Re: Port 6667 ?????????"
- In reply to: Tim Haynes: "Re: Minimizing the number of "setuid root" daemons"
- Next in thread: Juha Laiho: "Re: Minimizing the number of "setuid root" daemons"
- Reply: Juha Laiho: "Re: Minimizing the number of "setuid root" daemons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
