On Mon, Jun 18, 2001 at 08:56:03AM +0200, Philipp Schulte wrote: > On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote: > > > you would need to fix filesystem immutability and block device access > > as well. currently lcap CAP_LINUX_IMMUTABLE is useless since there > > is no way to deny root the ability to write directly to /dev/hda* and > > remove the immutable bits (ive written a script to remove chattr +i > > and +a even when CAP_LINUX_IMMUTABLE is removed from the bounding set, > > no reboot required). > > I thought CAP_SYS_RAWIO would take care of that issue? > Is is still possible to chattr +i if CAP_SYS_RAWIO is removed? chattr +i and +a cannot be set or removed if CAP_LINUX_IMMUTABLE is removed from the bounding set. however that does not prevent root from messing with /dev/hda* directly, niether does CAP_SYS_RAWIO. there is no capability that allows you to deny root access to the raw block devices, so removing the immutable bit is trivially easy. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpPjfrcLDk9g.pgp
Description: PGP signature