From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZlwm-0004ti-7I for garchives@archives.gentoo.org; Wed, 18 Feb 2009 12:54:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 258E9E0295; Wed, 18 Feb 2009 12:54:38 +0000 (UTC) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by pigeon.gentoo.org (Postfix) with ESMTP id 0AA4FE0295 for ; Wed, 18 Feb 2009 12:54:38 +0000 (UTC) Received: by an-out-0708.google.com with SMTP id c2so1346256anc.1 for ; Wed, 18 Feb 2009 04:54:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=ilfNzCs+j17aiO3Fz6A+VKUAoxkUttsrZ61g1IxJHo4=; b=AUTy7xT7KIqQ9KVoKkXdQzn6mnkCvzq/suI3NNxCMNbYq0f8YA4RltrKxtDC91BG79 VDvGbC7PbKQYAifft5+8YgJJ8ObnqxrX8szAUad8mIuqHFXmWgJi6LJY22LLimljE/yp ykzssYhLSqBbdctZ+oy3bdhJai9TnFYlinxBg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=kI7q1f0Pro9QqDc7jiMuGC83wIg+q6t4YBcQjoBa/QYrcQjq65xou2EIdL5r2wkNcf GZ/X3YEvrVdQEbQdyv8F37rIN8IC4EQlB8em3taPH/dk1N69BSfNQuGzq4TQogQjJQ1E WyUSS0ElZ6iRU+6REwIizA+ULalQCehV0nLAs= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.100.110.16 with SMTP id i16mr3964297anc.116.1234961677662; Wed, 18 Feb 2009 04:54:37 -0800 (PST) In-Reply-To: <897813410902180125m3b781cc6ocfb4ffa4d0b2575e@mail.gmail.com> References: <897813410902180125m3b781cc6ocfb4ffa4d0b2575e@mail.gmail.com> Date: Wed, 18 Feb 2009 05:54:37 -0700 Message-ID: <4255c2570902180454n311635e5r8b247810d58c2e42@mail.gmail.com> Subject: Re: [gentoo-hardened] change /sbin/rc From: RB To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 697513f2-76e7-47f1-81eb-300dfa66fc5a X-Archives-Hash: 3d9c40836f56394f53bb98c4f343855a On Wed, Feb 18, 2009 at 02:25, Javier J. Mart=C3=ADnez Cabez=C3=B3n wrote: > Hi, I think that /sbin/rc should be changed from a shell script, the > reason is that with gentoo hardened, security policies could be done > removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my > setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and > CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others > utmp has owner as audit user. Since root has not capabilities this > file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a > minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's > a bash shell-script, and granting it to mv, chmod etc is not a good > idea as you can suppose :). Could it be done? Beyond the fact that rsbac-admin and rsbac-sources have been removed, there's no reason you can't do this. In my ~ARCH hardened systems with openrc, /sbin/rc is a binary and not a shell script.