From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2480-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LZigJ-0002t6-Bi
	for garchives@archives.gentoo.org; Wed, 18 Feb 2009 09:25:27 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id EBC47E02C5;
	Wed, 18 Feb 2009 09:25:24 +0000 (UTC)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.155])
	by pigeon.gentoo.org (Postfix) with ESMTP id A9096E02C5
	for <gentoo-hardened@lists.gentoo.org>; Wed, 18 Feb 2009 09:25:24 +0000 (UTC)
Received: by fg-out-1718.google.com with SMTP id e12so641900fga.14
        for <gentoo-hardened@lists.gentoo.org>; Wed, 18 Feb 2009 01:25:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:date:message-id:subject
         :from:to:content-type:content-transfer-encoding;
        bh=lu4dWSJTsgPVHNP72rn7CWWi0kwqNdLAgH7cudClsHA=;
        b=YvyACCRYv741iIFPx5pCpG+hJMDaFRUufYXvaxlQiE+vBCi5JOD2imW4K0WGVrlS6o
         Q0H8UhD8LdAVf8heVctvrAbaYABz8c0bn2i+WOyqcT+0HEh59sTuRiM6Rf3cDUWgVBh/
         gJt91vBRg1AMNg7Za7pJKrnX5eWKTFSdQPfd0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=q9pUfs0cD57e8g18AyMTtUCg+pynkU4Z+LWwOHyRO50ZIiiN5KL22hPR/bARlY8xK2
         IiXPQFj83gUpo96hyete0ADoZgyWSjJPBy4HNIK6q1INeq6MMq9sbcqKvQguqnYDa8gS
         QimRBd32CpEpMcIXondIQsnQ2biMdAYW4i27I=
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.103.131.18 with SMTP id i18mr2771417mun.120.1234949123997; 
	Wed, 18 Feb 2009 01:25:23 -0800 (PST)
Date: Wed, 18 Feb 2009 10:25:23 +0100
Message-ID: <897813410902180125m3b781cc6ocfb4ffa4d0b2575e@mail.gmail.com>
Subject: [gentoo-hardened] change /sbin/rc
From: =?ISO-8859-1?Q?Javier_J=2E_Mart=EDnez_Cabez=F3n?= <tazok.id0@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 156717ee-cfc6-4bd4-9f2e-2a47f9d1210e
X-Archives-Hash: 59273dbed6e35bd5549a5b288fe5a935

Hi, I think that /sbin/rc should be changed from a shell script, the
reason is that with gentoo hardened, security policies could be done
removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my
setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and
CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others
utmp has owner as audit user. Since root has not capabilities this
file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a
minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's
a bash shell-script, and granting it to mv, chmod etc is not a good
idea as you can suppose :). Could it be done?