Re: Checksums on ftp

To: Alexander Hvostov <vulture@aoi.dyndns.org>
Cc: debian-security@lists.debian.org
Subject: Re: Checksums on ftp
From: Jim Breton <jamesb-debian@alongtheway.com>
Date: Fri, 28 Apr 2000 06:55:28 +0000
Message-id: <[🔎] 20000428065528.Q23709@alongtheway.com>
In-reply-to: <[🔎] Pine.LNX.4.21.0004272336490.2017-100000@cornerstone.core.aoi>; from vulture@aoi.dyndns.org on Thu, Apr 27, 2000 at 11:44:23PM -0700
References: <[🔎] 20000428020307.O23709@alongtheway.com> <[🔎] Pine.LNX.4.21.0004272336490.2017-100000@cornerstone.core.aoi>

On Thu, Apr 27, 2000 at 11:44:23PM -0700, Alexander Hvostov wrote:
> Not the capability _bounding_ set. Check the 'lcap' package. The only time
> the capabilities are restored is when the machine is rebooted, and only a
> process which originated as a kernel thread (i.e., init, kswapd, etc) can
> restore capabilities without a reboot. None of those programs will do
> this, so make /sbin/init immutable (which it should be anyway), and your
> system is pretty much air-tight, as far as remote attacks go.

Thanks, I just downloaded the source and will start messing with it.
I've found various other cap utils around the 'net in scattered places
too.

Regarding which processes can change caps: couldn't one set up an
additional runlevel that would contain a few scripts to set
capabilities, then run "telinit 8" (for example)?  The init process
would be executing those scripts and could therefore alter the
capabilities, no?

Just trying to get a better handle on this.  :)

Reply to:

Follow-Ups:
- Re: Checksums on ftp
  - From: Alexander Hvostov <vulture@aoi.dyndns.org>

References:
- Re: Checksums on ftp
  - From: Jim Breton <jamesb-debian@alongtheway.com>
- Re: Checksums on ftp
  - From: Alexander Hvostov <vulture@aoi.dyndns.org>

Prev by Date: Re: Checksums on ftp
Next by Date: Re: Checksums on ftp
Previous by thread: Re: Checksums on ftp
Next by thread: Re: Checksums on ftp
Index(es):
- Date
- Thread