From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZigJ-0002t6-Bi for garchives@archives.gentoo.org; Wed, 18 Feb 2009 09:25:27 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EBC47E02C5; Wed, 18 Feb 2009 09:25:24 +0000 (UTC) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.155]) by pigeon.gentoo.org (Postfix) with ESMTP id A9096E02C5 for ; Wed, 18 Feb 2009 09:25:24 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e12so641900fga.14 for ; Wed, 18 Feb 2009 01:25:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=lu4dWSJTsgPVHNP72rn7CWWi0kwqNdLAgH7cudClsHA=; b=YvyACCRYv741iIFPx5pCpG+hJMDaFRUufYXvaxlQiE+vBCi5JOD2imW4K0WGVrlS6o Q0H8UhD8LdAVf8heVctvrAbaYABz8c0bn2i+WOyqcT+0HEh59sTuRiM6Rf3cDUWgVBh/ gJt91vBRg1AMNg7Za7pJKrnX5eWKTFSdQPfd0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=q9pUfs0cD57e8g18AyMTtUCg+pynkU4Z+LWwOHyRO50ZIiiN5KL22hPR/bARlY8xK2 IiXPQFj83gUpo96hyete0ADoZgyWSjJPBy4HNIK6q1INeq6MMq9sbcqKvQguqnYDa8gS QimRBd32CpEpMcIXondIQsnQ2biMdAYW4i27I= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.103.131.18 with SMTP id i18mr2771417mun.120.1234949123997; Wed, 18 Feb 2009 01:25:23 -0800 (PST) Date: Wed, 18 Feb 2009 10:25:23 +0100 Message-ID: <897813410902180125m3b781cc6ocfb4ffa4d0b2575e@mail.gmail.com> Subject: [gentoo-hardened] change /sbin/rc From: =?ISO-8859-1?Q?Javier_J=2E_Mart=EDnez_Cabez=F3n?= To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 156717ee-cfc6-4bd4-9f2e-2a47f9d1210e X-Archives-Hash: 59273dbed6e35bd5549a5b288fe5a935 Hi, I think that /sbin/rc should be changed from a shell script, the reason is that with gentoo hardened, security policies could be done removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others utmp has owner as audit user. Since root has not capabilities this file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's a bash shell-script, and granting it to mv, chmod etc is not a good idea as you can suppose :). Could it be done?