| 1 |
On Tue, 16 Nov 2004 08:38:34 +0200, petre rodan <kaiowas@g.o> wrote: |
| 2 |
> Andy Dustman wrote: |
| 3 |
|
| 4 |
> > Of course, /root is not relabeled for root being a normal user. But |
| 5 |
> > then, if you do relabel it, it's has a context of |
| 6 |
> > system_u:object_r:default_t, which is not right either. su without the |
| 7 |
> > - works fine. |
| 8 |
> |
| 9 |
> /root(/.*)? should end up root:object_r:sysadm_home_t, not default_t. |
| 10 |
> |
| 11 |
> you should have in your users file a line like: |
| 12 |
> user root roles { sysadm_r staff_r }; |
| 13 |
|
| 14 |
What you missed was, I removed root from users, which Chris had |
| 15 |
suggested back in January. |
| 16 |
|
| 17 |
> > However I suspect there is some more locking down to do |
| 18 |
> > to keep root from doing bad things like various denial-of-service |
| 19 |
> > attacks. Just as a example: |
| 20 |
> > |
| 21 |
> > # dd if=/dev/zero of=/tmp/foo |
| 22 |
> |
| 23 |
> other then filling up the /tmp fs, I don't see what else it can do. |
| 24 |
> |
| 25 |
> > This actually seems to lock up the machine in a bad way: An oops and a |
| 26 |
> > kernel panic: Fatal Exception in Interrupt Handler, starring Sharon |
| 27 |
> > Stone. |
| 28 |
> |
| 29 |
> I can't reproduce this on my ext3 fs |
| 30 |
|
| 31 |
That doesn't surprise me, since you are using a different filesystem. |
| 32 |
I would guess this is either an XFS bug or IDE bug. However, since |
| 33 |
hardened-dev-sources is 2 releases behind the current |
| 34 |
development-sources three, it's entirely possible that the bug is |
| 35 |
already fixed. |
| 36 |
|
| 37 |
> > I have a separate XFS /tmp filesystem, running |
| 38 |
> > hardened-dev-sources. I could probably reproduce this, but won't... |
| 39 |
> |
| 40 |
> > Maybe there should be a guest_r role (or punk_r) for users we really |
| 41 |
> > don't want to do anything? |
| 42 |
> |
| 43 |
> if they are not permitted to do anything, they shouldn't have received an account in the first place. :) |
| 44 |
|
| 45 |
That is true, but we can't get rid of root entirely. |
| 46 |
|
| 47 |
Here's another issue: Gentoo includes by default the bin user. Usually |
| 48 |
(in other UNIX and Linux distributions, but not all) this is used as |
| 49 |
the owner (sometimes group) of most binaries, but Gentoo makes most |
| 50 |
binaries root-owned. (Obviously setuid binaries are another matter.) |
| 51 |
So is there any particular reason to use root over bin for ownership |
| 52 |
of binaries? Might it make a difference for SELinux if root only has |
| 53 |
normal user rights, or even less rights than normal? |
| 54 |
-- |
| 55 |
Computer interfaces should never be made of meat. |
| 56 |
|
| 57 |
Using GMail? Setting Reply-to address to <> disables this annoying feature. |
| 58 |
|
| 59 |
-- |
| 60 |
gentoo-hardened@g.o mailing list |
Archives