About Ubuntu security
James Strandboge
jamie at strandboge.com
Tue Jul 31 02:52:06 UTC 2007
On Mon, 2007-07-30 at 21:10 -0400, James Strandboge wrote:
> Remember you can use capabilities to prevent loading of modules, so you
> can prevent those buggy drivers from loading at all. See:
>
> man capabilities
> man lcap (lcap is in universe)
> http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt (section 10.4.2.1)
I meant to also add:
http://www.linuxjournal.com/article/5737
Also, in case you aren't aware, if removing CAP_SYS_MODULE, be sure to
do it *after* removing all other capabilities. Removing CAP_SYS_MODULE
removes access to /proc/sys/kernel/cap-bound (permission denied), and
you will thereafter not be able to adjust your capabilities any further
(until reboot that is).
Jamie Strandboge
More information about the ubuntu-server
mailing list