Re: Password access to re-add capabilities to running kernel

From: Chris Evans (chris@ferret.lmh.ox.ac.uk)
Date: Wed May 03 2000 - 05:32:13 EST

Next message: Tim Coleman: "Re: Promise card no longer work as ide0/1?"
Previous message: Andries Brouwer: "Re: devfs persistence"
In reply to: lamont@icopyright.com: "Re: Password access to re-add capabilities to running kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2 May 2000 lamont@icopyright.com wrote:

> > - To properly secure immutable files you need to prevent updating the raw
> > block device. This is possible by banning CAP_MKNOD then _unlinking_ the
> > sensitive block device files.
>
> gotta be done after all the devices are fsck'd and mounted, also you need
> to re-mknod the devices as part of the bootsequence, then drop CAP_MKNOD.

I've one thing to add here - this "unlink block devices" inconvenience
disappears when we get the ability to put an immutable flag on a block
device. I think Al Viro had plans to sort this as part of his VFS
cleanups, but I expect it'll be a 2.5 thing.

Cheers
Chris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tim Coleman: "Re: Promise card no longer work as ide0/1?"
Previous message: Andries Brouwer: "Re: devfs persistence"
In reply to: lamont@icopyright.com: "Re: Password access to re-add capabilities to running kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:11 EST