About Ubuntu security

James Strandboge jamie at strandboge.com
Tue Jul 31 02:52:06 UTC 2007


On Mon, 2007-07-30 at 21:10 -0400, James Strandboge wrote:

> Remember you can use capabilities to prevent loading of modules, so you
> can prevent those buggy drivers from loading at all.  See:
> 
> man capabilities
> man lcap	(lcap is in universe)
> http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt (section 10.4.2.1)

I meant to also add:
http://www.linuxjournal.com/article/5737

Also, in case you aren't aware, if removing CAP_SYS_MODULE, be sure to
do it *after* removing all other capabilities.  Removing CAP_SYS_MODULE
removes access to /proc/sys/kernel/cap-bound (permission denied), and
you will thereafter not be able to adjust your capabilities any further
(until reboot that is).

Jamie Strandboge





More information about the ubuntu-server mailing list