Re: disable-cap-mlock
From: Marc-Christian Petersen
Date: Thu Apr 01 2004 - 12:56:21 EST
On Thursday 01 April 2004 19:44, William Lee Irwin III wrote:
Hi,
> > What prevents any uid 0 process from changing these sysctl settings
> > (aside from SELinux, if you happen to use it and configure the policy
> > accordingly)?
> I'm aware it does some very unintelligent things to the security model,
> e.g. anyone with fs-level access to these things can basically escalate
> their capabilities to "everything". Maybe some kind of big fat warning
> is in order.
hmm, maybe a /proc/sys/capability/lock and if set to 1 you can't change any of
the sysctl variables, even root should not be allowed to change lock back,
until you do a reboot. Practical?
ciao, Marc
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/