Hi, >> - Maybe set security bit SECBIT_NOROOT. It removes capabilities from all >> suid-root processes it may try to call. > > This would be in the spirit of the exec plugin which refuses to run any > external programs / scripts as root. However, I'm not entirely sure if > that's a good idea, though, as that just limits the possibilities of the > user while I don't see much security benefits. > > Cheers, Many times I had to write silly wrappers/crons just because some stat data had to be obtained as root user. What would be nice is a ability to specify enabled capabilities per exec while allowing to run them on user root (possibly with IKnowThatIsUnsafe switch ;) )
-- Mariusz Gronczewski -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org