Re: Review: sect. 4.16.2 of the Securing Debian manual
Hi
On Thu, Mar 13, 2003 at 10:22:19PM +1100, Frederic Schutz wrote:
> On Thu, 13 Mar 2003, Alexander Reelsen wrote:
> > Are you sure on this one?
> >
> > # sysctl -A | grep cap-bound
> > kernel.cap-bound = -257
> >
> > Being it a sysctl parameter makes me wonder whether you can set things
> > runtime (if you have the appropriate capability of course). lcap does
> > exactly that, writing in this procfile.
> "Capabilities" is the next section that I plan to write/rewrite :-) The
> interesting point about capabilities is that once one of them has been
> removed, it can not be added back -- so lcap can only remove capabilities,
> and not add them again. You can have a look at the current section 9.3.2.1
> of the manual, there is a very short blurb on the subject (with some
> references)
Ok. I wasn't sure anymore, whether it is completely impossible to add back
a capability. Do you have some reference about that? I have something in
mind about that but I can't remember exactly.
> Does it answer your questions or did I miss a real loophole in the
> strategy that I described ?
If you provide some reference, then for sure :)
MfG/Regards, Alexander
--
Alexander Reelsen http://tretmine.org
ref@tretmine.org
Reply to: