Re: disable-cap-mlock

From: Marc-Christian Petersen
Date: Thu Apr 01 2004 - 12:56:21 EST

Next message: William Lee Irwin III: "Re: disable-cap-mlock"
Previous message: Davide Libenzi: "Re: epoll reporting events when it hasn't been asked to"
In reply to: William Lee Irwin III: "Re: disable-cap-mlock"
Next in thread: William Lee Irwin III: "Re: disable-cap-mlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 01 April 2004 19:44, William Lee Irwin III wrote:

Hi,

> > What prevents any uid 0 process from changing these sysctl settings
> > (aside from SELinux, if you happen to use it and configure the policy
> > accordingly)?

> I'm aware it does some very unintelligent things to the security model,
> e.g. anyone with fs-level access to these things can basically escalate
> their capabilities to "everything". Maybe some kind of big fat warning
> is in order.

hmm, maybe a /proc/sys/capability/lock and if set to 1 you can't change any of
the sysctl variables, even root should not be allowed to change lock back,
until you do a reboot. Practical?

ciao, Marc
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: William Lee Irwin III: "Re: disable-cap-mlock"
Previous message: Davide Libenzi: "Re: epoll reporting events when it hasn't been asked to"
In reply to: William Lee Irwin III: "Re: disable-cap-mlock"
Next in thread: William Lee Irwin III: "Re: disable-cap-mlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]