* [gentoo-hardened] change /sbin/rc
@ 2009-02-18 9:25 Javier J. Martínez Cabezón
2009-02-18 12:54 ` RB
0 siblings, 1 reply; 5+ messages in thread
From: Javier J. Martínez Cabezón @ 2009-02-18 9:25 UTC (permalink / raw
To: gentoo-hardened
Hi, I think that /sbin/rc should be changed from a shell script, the
reason is that with gentoo hardened, security policies could be done
removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my
setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and
CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others
utmp has owner as audit user. Since root has not capabilities this
file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a
minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's
a bash shell-script, and granting it to mv, chmod etc is not a good
idea as you can suppose :). Could it be done?
^ permalink raw reply [flat|nested] 5+ messages in thread
* [gentoo-hardened] change /sbin/rc
@ 2009-02-18 9:33 Javier J. Martínez Cabezón
0 siblings, 0 replies; 5+ messages in thread
From: Javier J. Martínez Cabezón @ 2009-02-18 9:33 UTC (permalink / raw
To: gentoo-hardened
Hi, I think that /sbin/rc should be changed from a shell script, the
reason is that with gentoo hardened, security policies could be done
removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my
setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and
CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others
utmp has owner as audit user. Since root has not capabilities this
file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a
minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's
a bash shell-script, and granting it to mv, chmod etc is not a good
idea as you can suppose :). Could it be done?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] change /sbin/rc
2009-02-18 9:25 Javier J. Martínez Cabezón
@ 2009-02-18 12:54 ` RB
2009-02-18 14:04 ` Javier J. Martínez Cabezón
0 siblings, 1 reply; 5+ messages in thread
From: RB @ 2009-02-18 12:54 UTC (permalink / raw
To: gentoo-hardened
On Wed, Feb 18, 2009 at 02:25, Javier J. Martínez Cabezón
<tazok.id0@gmail.com> wrote:
> Hi, I think that /sbin/rc should be changed from a shell script, the
> reason is that with gentoo hardened, security policies could be done
> removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my
> setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and
> CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others
> utmp has owner as audit user. Since root has not capabilities this
> file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a
> minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's
> a bash shell-script, and granting it to mv, chmod etc is not a good
> idea as you can suppose :). Could it be done?
Beyond the fact that rsbac-admin and rsbac-sources have been removed,
there's no reason you can't do this. In my ~ARCH hardened systems
with openrc, /sbin/rc is a binary and not a shell script.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] change /sbin/rc
2009-02-18 12:54 ` RB
@ 2009-02-18 14:04 ` Javier J. Martínez Cabezón
2009-02-18 15:20 ` RB
0 siblings, 1 reply; 5+ messages in thread
From: Javier J. Martínez Cabezón @ 2009-02-18 14:04 UTC (permalink / raw
To: gentoo-hardened
Oh, thanks, I was so blind looking for a way to make it works that I
didn't get realize in the possibility to install an rc alternative.
I have installed rsbac on my own, but I think that the problem of
shell-scripts and capabilities are common to other frameworks as
grsecurity or SELinux. So thanks for your help.
2009/2/18 RB <aoz.syn@gmail.com>:
> On Wed, Feb 18, 2009 at 02:25, Javier J. Martínez Cabezón
> <tazok.id0@gmail.com> wrote:
>> Hi, I think that /sbin/rc should be changed from a shell script, the
>> reason is that with gentoo hardened, security policies could be done
>> removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my
>> setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and
>> CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others
>> utmp has owner as audit user. Since root has not capabilities this
>> file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a
>> minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's
>> a bash shell-script, and granting it to mv, chmod etc is not a good
>> idea as you can suppose :). Could it be done?
>
> Beyond the fact that rsbac-admin and rsbac-sources have been removed,
> there's no reason you can't do this. In my ~ARCH hardened systems
> with openrc, /sbin/rc is a binary and not a shell script.
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] change /sbin/rc
2009-02-18 14:04 ` Javier J. Martínez Cabezón
@ 2009-02-18 15:20 ` RB
0 siblings, 0 replies; 5+ messages in thread
From: RB @ 2009-02-18 15:20 UTC (permalink / raw
To: gentoo-hardened
On Wed, Feb 18, 2009 at 07:04, Javier J. Martínez Cabezón
<tazok.id0@gmail.com> wrote:
> Oh, thanks, I was so blind looking for a way to make it works that I
> didn't get realize in the possibility to install an rc alternative.
It's not really an alternative, per se: sys-apps/openrc is the default
rc under baselayout-2 so you will be using it eventually.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-02-18 15:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-18 9:33 [gentoo-hardened] change /sbin/rc Javier J. Martínez Cabezón
-- strict thread matches above, loose matches on Subject: below --
2009-02-18 9:25 Javier J. Martínez Cabezón
2009-02-18 12:54 ` RB
2009-02-18 14:04 ` Javier J. Martínez Cabezón
2009-02-18 15:20 ` RB
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox