From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZins-0003qH-4n for garchives@archives.gentoo.org; Wed, 18 Feb 2009 09:33:16 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8F1CFE03EB; Wed, 18 Feb 2009 09:33:13 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6AA00E03EB for ; Wed, 18 Feb 2009 09:33:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 0A511B5803 for ; Wed, 18 Feb 2009 09:33:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 required=5.5 tests=[BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUiVnbBRl+aN for ; Wed, 18 Feb 2009 09:33:06 +0000 (UTC) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by smtp.gentoo.org (Postfix) with ESMTP id 392C3B5890 for ; Wed, 18 Feb 2009 09:33:02 +0000 (UTC) Received: by mu-out-0910.google.com with SMTP id g7so1540968muf.4 for ; Wed, 18 Feb 2009 01:33:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=lu4dWSJTsgPVHNP72rn7CWWi0kwqNdLAgH7cudClsHA=; b=BaCVhOIJK6QqMXuRDjdT02pNjp/sPr+q/2U8E3mxtxYxAabwjXho7irGzMzKF78akW n/y9msGNjFHNCMpDrM6LWA1VRDO9Ct0BD4pX/7Kid6ky6DquKcNEgfFMzgNktOCK9pwH LbUIRTx7G4ixmSYh+FpXAvX6bRDBo2lmUgD3k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=bUjG2QsD0a+9sRDB0zEKMJFCKtTqYm6eWlqUs2qWJlbx0g67kIx/cN4/ftLTFBe1hR LBqwIMcQpgFP/MKm+7XA4MxHe56nVz1zFe3qL7e9UTa6yA02nkb3PYnMU80H2FOz/5Fw VvIg+ugax7JJK46J9w48p4EzkhCgP9NHrNc+M= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.103.160.3 with SMTP id m3mr1901231muo.25.1234949582109; Wed, 18 Feb 2009 01:33:02 -0800 (PST) Date: Wed, 18 Feb 2009 10:33:02 +0100 Message-ID: <897813410902180133n1cfbba5bi78a30cacb79d57b5@mail.gmail.com> Subject: [gentoo-hardened] change /sbin/rc From: =?ISO-8859-1?Q?Javier_J=2E_Mart=EDnez_Cabez=F3n?= To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 5a755682-a71e-4c08-816f-a29caad89dae X-Archives-Hash: bcdcf0441da8b18ec140fb0c0bbc2945 Hi, I think that /sbin/rc should be changed from a shell script, the reason is that with gentoo hardened, security policies could be done removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others utmp has owner as audit user. Since root has not capabilities this file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's a bash shell-script, and granting it to mv, chmod etc is not a good idea as you can suppose :). Could it be done?