1 |
On Wed, Feb 18, 2009 at 02:25, Javier J. Martínez Cabezón |
2 |
<tazok.id0@×××××.com> wrote: |
3 |
> Hi, I think that /sbin/rc should be changed from a shell script, the |
4 |
> reason is that with gentoo hardened, security policies could be done |
5 |
> removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my |
6 |
> setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and |
7 |
> CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others |
8 |
> utmp has owner as audit user. Since root has not capabilities this |
9 |
> file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a |
10 |
> minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's |
11 |
> a bash shell-script, and granting it to mv, chmod etc is not a good |
12 |
> idea as you can suppose :). Could it be done? |
13 |
|
14 |
Beyond the fact that rsbac-admin and rsbac-sources have been removed, |
15 |
there's no reason you can't do this. In my ~ARCH hardened systems |
16 |
with openrc, /sbin/rc is a binary and not a shell script. |