Hello,
we wrote some patch we'd like to share... OK, it isn't a big thing, but we
think it adds support for some things that aren't available, and - as we
think - should be in normal kernel releases:
- possibility to define UID/GID that has some specific capability
(simplest example - you can make ping suid to that UID and thus decrease
number of suid-root files in the system)
- configure the number of processes that can be left for root (there is
already such value in kernel, but it's better to put it into config, I
think); and configure the amount of memory that must be always available
for root (that can help while fighting against some DoSes...)
- set the UID of "real-time user" whose processes have highest priority.
It also may be some protection against DoSes.
We posted information about our patch to other groups and got no answer,
so we don't know if it's so poor or so good;) So we hope you'll send us
some comments...
Now there are available only versions for 2.2.13 and 2.2.14. 2.2.15
version will be in a few days, and we'll also make a 2.3 version soon (we
haven't been working on development kernels so far...).
Last thing: there is one thing that makes my patch non-POSIX-compliant.
But I thing that such behaviour should be better. I don't explain
everything here, just read Documentation/security.txt section 'WHAT'S
GOING ON WITH setuid AND setgid' and tell what you think about it...
Oh (I almost forgot): our patch is here:
ftp://ftp.v-lo.krakow.pl/pub/linux/patches/
Regards,
-- Michal Kosek & Eryk SchillerYou should pay homage to my homepage http://www.v-lo.krakow.pl/klasa4e/dziady3.html (For Polish Linux lovers - rest won't understand...;)
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:22 EST