Re: Linux capability bounding set weakness

[paul () XTDNET NL (Paul Wouters)]

On Mon, 26 Jun 2000, Patrick Reynolds wrote:

> To make capability bounding sets at all useful, you have to disable
> CAP_SYS_RAWIO, which governs access to /dev/mem.  Be advised that doing so
> will break X and any other user-space program that needs raw access to
> memory or I/O ports.

> Fix: if you disable anything in the capability bounding set, you must also
> disable CAP_SYS_RAWIO and CAP_SYS_MODULE.

These issues have been address a long time ago with LIDS (www.lids.org).
There, not init, but a special program called lidsadm is the control center
of the capabilities. It has clear documentation on why you MUST restrict
certain capabilities, and even has the option to compile a hardcoded list of
processes (such as X :) that can access /dev/mem despite the capability
setting.

I can recommend lids as a VERY good way to secure your system so much, you'll
find it impossible to cleanyl shutdown or reboot altogehter :)

See http://www.ota.be/linux/workshops/20000527/ for a RealMedia overview
of LIDS that I gave a few weeks ago for the OTA.

Paul

--
Only the access to the source code of our future television sets will
guarantee the independence of content and technology.

 --- www.linuxtv.org