Jim, Not the capability _bounding_ set. Check the 'lcap' package. The only time the capabilities are restored is when the machine is rebooted, and only a process which originated as a kernel thread (i.e., init, kswapd, etc) can restore capabilities without a reboot. None of those programs will do this, so make /sbin/init immutable (which it should be anyway), and your system is pretty much air-tight, as far as remote attacks go.
Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCM d- s:+ a--- C++++ UL++++ P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y ------END GEEK CODE BLOCK------ On Fri, 28 Apr 2000, Jim Breton wrote: > On Thu, Apr 27, 2000 at 05:35:42PM -0800, Ethan Benson wrote: > > why zap an immutable log file? it won't contain any new entries since > > syslogd cannot write to it either :P you probably mean the append > > only bit. which is indeed useful on logs but breaks log rotation > > which is rather annoying. > > Yup I did mean append-only. You could always mix a chattr -a, chattr +a > into your log rotation scripts to work around that. > > > > someone else mentioned Linux Privileges (misnomer capabilities) which > > i think can be used to get the BSD style immutable bit -- root can set > > but not remove. but still that is damned inconvenient if you want to > > upgrade something legitimately and have to reboot to do it. (almost > > like NT, gah) > > Yep. Actually I'm not completely familiar with this yet, I tried to set > it up on my box but didn't encounter much success because I think I > didn't correctly compile the caps into the kernel. There's supposedly > one or two edits you have to make and the doc I saw wasn't very clear. > > But from what I've seen so far, I do believe you would be able to > somehow add capabilities to a running process (as well as remove them). > > Just don't ask me how yet. :) > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >