On Mon, Jun 18, 2001 at 12:43:41PM +0200, Philipp Schulte wrote: > On Mon, Jun 18, 2001 at 12:35:13AM -0800, Ethan Benson wrote: > > > chattr +i and +a cannot be set or removed if CAP_LINUX_IMMUTABLE is > > removed from the bounding set. however that does not prevent root > > from messing with /dev/hda* directly, niether does CAP_SYS_RAWIO. > > > > there is no capability that allows you to deny root access to the raw > > block devices, so removing the immutable bit is trivially easy. > > Ok, so just do make sure: http://www.lids.org/lids-howto/node53.html > is claiming that CAP_SYS_RAWIO allows access to raw block devices. they are mistaken. > Does LIDS change the behaviour of the cap or are they claiming > something wrong? they do make all sorts of change to the kernel since the current capability bounding set isn't complete enough to accomplish anything that can't be trivally undone by moving stuff around the filesystem and rebooting once. the trouble with lids, or more so the ideas they go with is you break your system so badly that it becomes impossible to administer, certianly impossible to admin remotely. the cost is too high IMO. > BTW: Are there any "proof of concept" for this vulnerability? which? the /dev/mem restoration of the capability bounding set, or removing chattr +i even when CAP_LINUX_IMMUTABLE is removed? for the latter i have a script that does it. for the former not that i know of, but if i were better at C i think i could put one together in an hour or less, here is the explanation: http://www.netcom.com/~spoon/lcap/bugtraq.txt -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpXBOZjgXEzt.pgp
Description: PGP signature