Tomasz Pala napisaĆ(a): > On Sat, Feb 06, 2010 at 12:04:07 +0100, Zbyniu Krzystolik wrote: > > > My note may be interested for you (pl); libcap-ng utils can simplify it. > > http://zz.iapt.pl/bez_root2.txt > > That's similar to thing I want to do. The difference is you drop > capabilities, and I want to set some for regular users (either > designated - for daemons having it's own files and secrets, or nobody > for anything else, using start-stop-daemon --chuid). Like this: > > setcap cap_net_bind_service=ei =nc > execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'
Like this? :) http://zz.iapt.pl/bez_root.txt > but this obviously requires tagging binaries. The problem is tracking > all the xattrs (caps and ACLs). Yep. > Especially if I need to restrict some accounts (i.e. give some > permissions to normal accounts) more, than hardening daemons... I want it too. :) Zbyniu -- %% Absolutely nothing we trust %% _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en