[ubuntu-hardened] Removing suid root from binaries where it isn't needed
Kees Cook
kees at ubuntu.com
Wed Oct 31 03:23:42 GMT 2007
On Tue, Oct 30, 2007 at 10:46:12PM -0400, Chad Sellers wrote:
> xattrs are present in ext2 (and many other filesystems) as well if you're
> paranoid about something like this. That said, this seems pretty limited in
> usefulness. For me, SELinux and other complimentary standard Linux security
> mechanisms are enough to prevent unauthorized access to my filesystem. If
> it's not for you (because of kernel exploit, physical access, or other
> reasons), then you should probably not put said data on the filesystem in
> the first place.
Being able to have a package define it's needed capabilities agnostic of
available MAC systems seems like a win to me. On the other hand,
systems with a full policy/profile will find the protections redundant.
I think the fscap stuff would be a good thing to get into Hardy+1. We
can test it and start the discussion with Debian about it now, though.
-Kees
--
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20071030/932c5710/attachment.pgp
More information about the ubuntu-hardened
mailing list