On Sat, 22 Jul 2000, Ville Herva wrote:
> > > Of course, kernel module loading should be disabled as well (or made
> > > available only via challange-response authentication or something (*)).
> >
> > You can load all needed modules and then disable modules loading with the
> > same /proc/sys/kernel/cap-bound ...
>
> Good.
Of course you need to keep your bootable medium protected, ot at least the
kernel. I think linux implements the concept of immutable files but I may
have the os:s mixed up.
It is a usability vs. security issue. You can tighten security immensly
through capabilities, but then you will have a much harder time as an
administrator.
Peter
-- Peter Svensson ! Pgp key available by finger, fingerprint: <petersv@psv.nu> ! 8A E9 20 98 C1 FF 43 E3 07 FD B9 0A 80 72 70 AF <petersv@df.lth.se> ! ------------------------------------------------------------------------ Remember, Luke, your source will be with you... always...- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:19 EST