rpm: POSIX capabilities/ACLs?
Zbyniu Krzystolik
zbyniu at geocarbon.pl
Mon Feb 8 22:24:30 CET 2010
Tomasz Pala napisał(a):
> On Sat, Feb 06, 2010 at 12:04:07 +0100, Zbyniu Krzystolik wrote:
>
> > My note may be interested for you (pl); libcap-ng utils can simplify it.
> > http://zz.iapt.pl/bez_root2.txt
>
> That's similar to thing I want to do. The difference is you drop
> capabilities, and I want to set some for regular users (either
> designated - for daemons having it's own files and secrets, or nobody
> for anything else, using start-stop-daemon --chuid). Like this:
>
> setcap cap_net_bind_service=ei =nc
> execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'
Like this? :)
http://zz.iapt.pl/bez_root.txt
> but this obviously requires tagging binaries. The problem is tracking
> all the xattrs (caps and ACLs).
Yep.
> Especially if I need to restrict some accounts (i.e. give some
> permissions to normal accounts) more, than hardening daemons...
I want it too. :)
Zbyniu
--
%% Absolutely nothing we trust %%
More information about the pld-devel-en
mailing list