Gentoo Archives: gentoo-hardened

From:	"Javier Martínez" <tazok.id0@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] Re: Discussion about security policy based on Linux Capabilities
Date:	Thu, 03 May 2007 20:08:03
Message-Id:	`897813410705031306r32fbfedj544d573bc098a1f5@mail.gmail.com`
In Reply to:	[gentoo-hardened] Discussion about security policy based on Linux Capabilities by tazok

1	Append the /usr/sbin and /usr/bin directories.
2
3	#/usr/bin
4	attr_set_file_dir -a CAP FILE "/usr/bin/Xorg" max_caps SYS_RAWIO
5	SYS_TTY_CONFIG DAC_OVERRIDE
6
7	#/usr/sbin/
8
9	attr_set_file_dir -a CAP FILE "/usr/sbin/sshd" max_caps
10	NET_BIND_SERVICE CHOWN SETGID SETUID SYS_CHROOT
11	attr_set_file_dir -a CAP FILE "/usr/sbin/dsniff" max_caps NET_RAW
12	attr_set_file_dir -a CAP FILE "/usr/sbin/tcpdump" max_caps NET_RAW
13	attr_set_file_dir -a CAP FILE "/usr/sbin/useradd" max_caps DAC_OVERRIDE
14	attr_set_file_dir -a CAP FILE "/usr/sbin/userdel" max_caps DAC_OVERRIDE
15	attr_set_file_dir -a CAP FILE "/usr/sbin/syslog-ng" max_caps SYS_ADMIN
16	--
17	gentoo-hardened@g.o mailing list