> normal circumstances, if I wanted to prevent that on a CAP based system, I'd
> assign ownership of raw-io devices to a user 'rawio' with pw '*' and group 'rawio'
> with a password. In that event,
It isnt just abouit devices
> root is not running with CAP_DAC_OVERRIDE). I can't think of circumstances
> where CAP_SYS_RAWIO is needed if DAC controls are properly configured. If a sysadmin
> who has the 'root' password, if they needed RAWIO, they could be given the
> rawio group password and newgrp to that group -- perform their actions, then
> exit. Sorry to be dense, but are there areas where that wouldn't work?
iopl, ioperm, control ioctls on devices, mmap on framebuffer mmio, ...
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:09 EST