Bugtraq mailing list archives
Re: Linux capability bounding set weakness
From: paul () XTDNET NL (Paul Wouters)
Date: Tue, 27 Jun 2000 22:50:44 +0200
On Mon, 26 Jun 2000, Patrick Reynolds wrote:
To make capability bounding sets at all useful, you have to disable CAP_SYS_RAWIO, which governs access to /dev/mem. Be advised that doing so will break X and any other user-space program that needs raw access to memory or I/O ports.
Fix: if you disable anything in the capability bounding set, you must also disable CAP_SYS_RAWIO and CAP_SYS_MODULE.
These issues have been address a long time ago with LIDS (www.lids.org). There, not init, but a special program called lidsadm is the control center of the capabilities. It has clear documentation on why you MUST restrict certain capabilities, and even has the option to compile a hardcoded list of processes (such as X :) that can access /dev/mem despite the capability setting. I can recommend lids as a VERY good way to secure your system so much, you'll find it impossible to cleanyl shutdown or reboot altogehter :) See http://www.ota.be/linux/workshops/20000527/ for a RealMedia overview of LIDS that I gave a few weeks ago for the OTA. Paul -- Only the access to the source code of our future television sets will guarantee the independence of content and technology. --- www.linuxtv.org
Current thread:
- Re: ftpd: the advisory version Lamagra Argamal (Jun 24)
- Re: ftpd: the advisory version Jim Knoble (Jun 26)
- Re: ftpd: the advisory version Olaf Kirch (Jun 27)
- Re: ftpd: the advisory version Mike Eldridge (Jun 29)
- Re: ftpd: the advisory version Olaf Kirch (Jun 27)
- Linux capability bounding set weakness Patrick Reynolds (Jun 26)
- Re: Linux capability bounding set weakness Paul Wouters (Jun 27)
- Re: Linux capability bounding set weakness Matthew Kirkwood (Jun 27)
- Improved ARP sniffer Paul Starzetz (Jun 27)
- [suse-security-announce] SuSE Security Announcement: kernel-2.2.x (fwd) Daniel T. Chen (Jun 27)
- <Possible follow-ups>
- Re: ftpd: the advisory version Steven M. Bellovin (Jun 26)
- Re: ftpd: the advisory version Dan Harkless (Jun 27)
- Re: ftpd: the advisory version Teodor Cimpoesu (Jun 28)
- Re: ftpd: the advisory version Sebastian (Jun 28)
- Re: ftpd: the advisory version Kasatenko Ivan Alex. (Jun 29)
- Re: ftpd: the advisory version Barney Wolff (Jun 29)
- Re: ftpd: the advisory version Sebastian (Jun 29)
- Re: ftpd: the advisory version Jim Knoble (Jun 26)