Lowered Process Capabilities for use in Ubuntu (Security)
This session will review the Lower Process Capabilities idea that Fedora has started working on. It may be good to do this in Ubuntu as well. http://
Blueprint information
- Status:
- Not started
- Approver:
- Robbie Williamson
- Priority:
- Medium
- Drafter:
- Kees Cook
- Direction:
- Approved
- Assignee:
- Kees Cook
- Definition:
- Discussion
- Series goal:
- Accepted for lucid
- Implementation:
- Informational
- Milestone target:
- None
- Started by
- Completed by
Whiteboard
Work items:
investigate whether permissions gain is worth the trouble: DONE
Status: Will approve based on outcome of investigation [robbie.w]
Details:
- This doesn't appear to add any benefit over simply derooting daemons, which the bulk of has already happened. Especially since uid=0 can just change file ownership.
[root@fedora-
[root@fedora-
Current: =ep cap_chown,
Bounding set =
Securebits: 00/0x0
secure-noroot: no (unlocked)
secure-
secure-keep-caps: no (unlocked)
uid=0
[root@fedora-
[root@fedora-
bash: shadow: Permission denied
[root@fedora-
[root@fedora-
gdm:!!:14557::::::
[root@fedora-
[root@fedora-
----------. 1 root root 1029 2009-11-25 21:28 shadow
[root@fedora-
cat: shadow: Permission denied