1 |
On Tue, 16 Nov 2004 08:38:34 +0200, petre rodan <kaiowas@g.o> wrote: |
2 |
> Andy Dustman wrote: |
3 |
|
4 |
> > Of course, /root is not relabeled for root being a normal user. But |
5 |
> > then, if you do relabel it, it's has a context of |
6 |
> > system_u:object_r:default_t, which is not right either. su without the |
7 |
> > - works fine. |
8 |
> |
9 |
> /root(/.*)? should end up root:object_r:sysadm_home_t, not default_t. |
10 |
> |
11 |
> you should have in your users file a line like: |
12 |
> user root roles { sysadm_r staff_r }; |
13 |
|
14 |
What you missed was, I removed root from users, which Chris had |
15 |
suggested back in January. |
16 |
|
17 |
> > However I suspect there is some more locking down to do |
18 |
> > to keep root from doing bad things like various denial-of-service |
19 |
> > attacks. Just as a example: |
20 |
> > |
21 |
> > # dd if=/dev/zero of=/tmp/foo |
22 |
> |
23 |
> other then filling up the /tmp fs, I don't see what else it can do. |
24 |
> |
25 |
> > This actually seems to lock up the machine in a bad way: An oops and a |
26 |
> > kernel panic: Fatal Exception in Interrupt Handler, starring Sharon |
27 |
> > Stone. |
28 |
> |
29 |
> I can't reproduce this on my ext3 fs |
30 |
|
31 |
That doesn't surprise me, since you are using a different filesystem. |
32 |
I would guess this is either an XFS bug or IDE bug. However, since |
33 |
hardened-dev-sources is 2 releases behind the current |
34 |
development-sources three, it's entirely possible that the bug is |
35 |
already fixed. |
36 |
|
37 |
> > I have a separate XFS /tmp filesystem, running |
38 |
> > hardened-dev-sources. I could probably reproduce this, but won't... |
39 |
> |
40 |
> > Maybe there should be a guest_r role (or punk_r) for users we really |
41 |
> > don't want to do anything? |
42 |
> |
43 |
> if they are not permitted to do anything, they shouldn't have received an account in the first place. :) |
44 |
|
45 |
That is true, but we can't get rid of root entirely. |
46 |
|
47 |
Here's another issue: Gentoo includes by default the bin user. Usually |
48 |
(in other UNIX and Linux distributions, but not all) this is used as |
49 |
the owner (sometimes group) of most binaries, but Gentoo makes most |
50 |
binaries root-owned. (Obviously setuid binaries are another matter.) |
51 |
So is there any particular reason to use root over bin for ownership |
52 |
of binaries? Might it make a difference for SELinux if root only has |
53 |
normal user rights, or even less rights than normal? |
54 |
-- |
55 |
Computer interfaces should never be made of meat. |
56 |
|
57 |
Using GMail? Setting Reply-to address to <> disables this annoying feature. |
58 |
|
59 |
-- |
60 |
gentoo-hardened@g.o mailing list |