[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

lcap support within the boot-scripts



I want to suggest here to add Linux/(POSIX) capability support within the usual daemon-boot scripts.

like this:
*** /etc/init.d/skeleton	Tue Mar  3 13:04:00 1998
--- /home/ct/skeleton.lcap	Mon Jul  2 18:38:08 2001
***************
*** 14,21 ****
--- 14,23 ----
  DAEMON=/usr/sbin/daemon
  NAME=daemon
  DESC="some daemon"
+ CAPABILITIES="CAP_CHOWN CAP_KILL ...."
  
  test -f $DAEMON || exit 0
+ test -f /sbin/lcap && /sbin/lcap -z $CAPABILITIES
 
With a little effort we will gain alot (at least some) security improvement. 
Sure it has its pros and cons, thats why i'm ask/suggest it here.
Noteable points:
	lcap needs to be installed in /sbin instead /usr/sbin.

	It makes only sense if such is supported for all daemons (thinking that the system 
	is protected, while some daemons dont use it will be really bad.. 
	then we can keep it as it is and anyone add lcap by himself)

	lcap is linux-specific, while POSIX defines capabilities, I dont know how other 
	kernels(HURD) implement such and whcih tools are available.

	If the pepole here agree in this idea I might need some assistance in fileing a bug report 
	(against wishlist/debian-policy? or against the lcap-package? 
	or against the daemon-packages?)

cya Christian



Reply to: