From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
by finch.gentoo.org with esmtp (Exim 4.60)
(envelope-from <gentoo-hardened+bounces-2481-garchives=archives.gentoo.org@lists.gentoo.org>)
id 1LZins-0003qH-4n
for garchives@archives.gentoo.org; Wed, 18 Feb 2009 09:33:16 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 8F1CFE03EB;
Wed, 18 Feb 2009 09:33:13 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
by pigeon.gentoo.org (Postfix) with ESMTP id 6AA00E03EB
for <gentoo-hardened@lists.gentoo.org>; Wed, 18 Feb 2009 09:33:13 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp.gentoo.org (Postfix) with ESMTP id 0A511B5803
for <gentoo-hardened@lists.gentoo.org>; Wed, 18 Feb 2009 09:33:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at gentoo.org
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 required=5.5 tests=[BAYES_00=-2.599]
Received: from smtp.gentoo.org ([127.0.0.1])
by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id QUiVnbBRl+aN for <gentoo-hardened@lists.gentoo.org>;
Wed, 18 Feb 2009 09:33:06 +0000 (UTC)
Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187])
by smtp.gentoo.org (Postfix) with ESMTP id 392C3B5890
for <gentoo-hardened@gentoo.org>; Wed, 18 Feb 2009 09:33:02 +0000 (UTC)
Received: by mu-out-0910.google.com with SMTP id g7so1540968muf.4
for <gentoo-hardened@gentoo.org>; Wed, 18 Feb 2009 01:33:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:message-id:subject
:from:to:content-type:content-transfer-encoding;
bh=lu4dWSJTsgPVHNP72rn7CWWi0kwqNdLAgH7cudClsHA=;
b=BaCVhOIJK6QqMXuRDjdT02pNjp/sPr+q/2U8E3mxtxYxAabwjXho7irGzMzKF78akW
n/y9msGNjFHNCMpDrM6LWA1VRDO9Ct0BD4pX/7Kid6ky6DquKcNEgfFMzgNktOCK9pwH
LbUIRTx7G4ixmSYh+FpXAvX6bRDBo2lmUgD3k=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type
:content-transfer-encoding;
b=bUjG2QsD0a+9sRDB0zEKMJFCKtTqYm6eWlqUs2qWJlbx0g67kIx/cN4/ftLTFBe1hR
LBqwIMcQpgFP/MKm+7XA4MxHe56nVz1zFe3qL7e9UTa6yA02nkb3PYnMU80H2FOz/5Fw
VvIg+ugax7JJK46J9w48p4EzkhCgP9NHrNc+M=
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.103.160.3 with SMTP id m3mr1901231muo.25.1234949582109; Wed,
18 Feb 2009 01:33:02 -0800 (PST)
Date: Wed, 18 Feb 2009 10:33:02 +0100
Message-ID: <897813410902180133n1cfbba5bi78a30cacb79d57b5@mail.gmail.com>
Subject: [gentoo-hardened] change /sbin/rc
From: =?ISO-8859-1?Q?Javier_J=2E_Mart=EDnez_Cabez=F3n?= <tazok.id0@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 5a755682-a71e-4c08-816f-a29caad89dae
X-Archives-Hash: bcdcf0441da8b18ec140fb0c0bbc2945
Hi, I think that /sbin/rc should be changed from a shell script, the
reason is that with gentoo hardened, security policies could be done
removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my
setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and
CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others
utmp has owner as audit user. Since root has not capabilities this
file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a
minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's
a bash shell-script, and granting it to mv, chmod etc is not a good
idea as you can suppose :). Could it be done?