| 1 |
On Wed, Feb 18, 2009 at 02:25, Javier J. Martínez Cabezón |
| 2 |
<tazok.id0@×××××.com> wrote: |
| 3 |
> Hi, I think that /sbin/rc should be changed from a shell script, the |
| 4 |
> reason is that with gentoo hardened, security policies could be done |
| 5 |
> removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my |
| 6 |
> setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and |
| 7 |
> CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others |
| 8 |
> utmp has owner as audit user. Since root has not capabilities this |
| 9 |
> file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a |
| 10 |
> minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's |
| 11 |
> a bash shell-script, and granting it to mv, chmod etc is not a good |
| 12 |
> idea as you can suppose :). Could it be done? |
| 13 |
|
| 14 |
Beyond the fact that rsbac-admin and rsbac-sources have been removed, |
| 15 |
there's no reason you can't do this. In my ~ARCH hardened systems |
| 16 |
with openrc, /sbin/rc is a binary and not a shell script. |
Archives