Re: A question about Knark and modules

To: debian-security@lists.debian.org
Subject: Re: A question about Knark and modules
From: Philipp Schulte <p.schulte@matrix.uni-duisburg.de>
Date: Mon, 18 Jun 2001 08:56:03 +0200
Message-id: <[🔎] 20010618085603.A16897@nepomuk.matrix.uni-duisburg.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20010617224217.V417@plato.local.lan>; from erbenson@alaska.net on Sun, Jun 17, 2001 at 10:42:17PM -0800
References: <[🔎] 002301c0f724$562f07e0$0200a8c0@terminal02> <[🔎] 20010617052802.I417@plato.local.lan> <[🔎] 20010618013815.H1723@llama.nslug.ns.ca> <[🔎] 20010617224217.V417@plato.local.lan>

On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote: 

> you would need to fix filesystem immutability and block device access
> as well.   currently lcap CAP_LINUX_IMMUTABLE is useless since there
> is no way to deny root the ability to write directly to /dev/hda* and
> remove the immutable bits (ive written a script to remove chattr +i
> and +a even when CAP_LINUX_IMMUTABLE is removed from the bounding set,
> no reboot required). 

I thought CAP_SYS_RAWIO would take care of that issue?
Is is still possible to chattr +i if CAP_SYS_RAWIO is removed?
Phil

Reply to:

Follow-Ups:
- Re: A question about Knark and modules
  - From: Ethan Benson <erbenson@alaska.net>

References:
- Re: A question about Knark and modules
  - From: "Sjarn Valkhoff" <valkho1@mailme.co.za>
- Re: A question about Knark and modules
  - From: Ethan Benson <erbenson@alaska.net>
- Re: A question about Knark and modules
  - From: Peter Cordes <peter@llama.nslug.ns.ca>
- Re: A question about Knark and modules
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: gnupg problem
Next by Date: Re: A question about Knark and modules
Previous by thread: Re: A question about Knark and modules
Next by thread: Re: A question about Knark and modules
Index(es):
- Date
- Thread