Re: Are capabilities worthwhile?
- From: Menno Duursma <pan@xxxxxxxxxxx>
- Date: Wed, 27 Sep 2006 21:19:32 +0200
On Wed, 27 Sep 2006 06:42:00 +0000, Bob Smith wrote:
My approach has been to have the daemons started
in rc.sysinit drop capabilities as part of their
other steps to become a daemon, and to then have
the bottom of rc.sysinit drop capabilities for
the kernel by setting /proc/sys/kernel/cap-bound.
My hope had been that once the appliance was
fully booted, it would be a little more secure
from network attacks.
It should be. However to which extend will greatly depend on what
privileges are kept ( for instance in case of 'bind to a lo-port'
successful attacks might gain the ability to spoof a login service, such
as telnet or ssh ... ).
Another aproch might be for fork, drop to a restricted account in one
process and comunicate over some rpc means, such as a socketpair with a
(the) still privileged process (which ofcource may well be able to drop
some stuff too. I think to remenber 'vsftpd' does this).
In case its (commented) code you want to look at, named might help:
http://stuff.mit.edu/afs/dev/source/src-current/third/bind/bin/named/unix/os.c
-Menno.
.
- References:
- Are capabilities worthwhile?
- From: Bob Smith
- Re: Are capabilities worthwhile?
- From: Bob Smith
- Are capabilities worthwhile?
- Prev by Date: IDR
- Next by Date: Re: coincidence or rootkit?
- Previous by thread: Re: Are capabilities worthwhile?
- Next by thread: IDR
- Index(es):
Relevant Pages
|
|
