jeff.schroeder2 at us.army.mil jeff.schroeder2 at us.army.mil
Tue Nov 1 15:56:33 CST 2005


>> No, we need the cap_over LSM until we fix
>> vSecurity's freeze bug. Using cap_over LSM makes
>> possible to work on the policy without getting
>> stuck while we work on fixing vsec.
Ok, sounds good.

In ubuntu, users in the "admin" group are effectively
root through sudo. Should the admin group be given
access to capabilities such as, "CAP_SYS_ADMIN",
"CAP_SYS_CHROOT", "CAP_SYS_NICE", "CAP_NET_ADMIN",
etc through cap_over? More info in available in the
capabilities(7) man page.

If the answer is yes to any of those, what groups
should get what priviliges by default?
Normal users (if any) vs administrators? If the apache
group is given the "CAP_NET_BIND_SERVICE" capability
which allows it to bind to ports <1024, could apache
be sucessfully de-rooted? These are all things we
should be thinking of.



More information about the ubuntu-hardened mailing list