From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZn3g-0006Gp-8h for garchives@archives.gentoo.org; Wed, 18 Feb 2009 14:05:52 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3C1E6E031E; Wed, 18 Feb 2009 14:04:25 +0000 (UTC) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179]) by pigeon.gentoo.org (Postfix) with ESMTP id 0DEB2E031E for ; Wed, 18 Feb 2009 14:04:24 +0000 (UTC) Received: by wa-out-1112.google.com with SMTP id j4so1684494wah.2 for ; Wed, 18 Feb 2009 06:04:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=y79OWFib60Q5ZEu6qckj0Zz8PzkmCw9uJ1m3KjgD20U=; b=Qne5PpXH9oVHLfH9oRzRAFUauiEaSGibt3DU7i38DVzEsQOtY19kR/fE3S3pkgJQs5 CtPwcvMu4MzdhoMaGa9pZIZgngDxLld8OFuDDPjyAAksx4lzkArR1DeY08OkOqdtnmJF mr7HZxl81J1DcPpSZ6ZS0/Wlcmx7PahvGjKyk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=pYqwUs2sEWzoNaOwrkisiZuwpcEzEpVPibhBXRrRmuOInHj/M/Fc+d3ypthpWJwzlE N8MJjxCSH5a7XwMiRQeLakvs/XsV+H+0+AlEfgOajuHWTH73IGaUbubkmVJvzJIncyKI 2i0iFB2LrLcy4/XZZDWuIhVxDCkPz0ikDXEjY= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.114.24.5 with SMTP id 5mr3172568wax.106.1234965864466; Wed, 18 Feb 2009 06:04:24 -0800 (PST) In-Reply-To: <4255c2570902180454n311635e5r8b247810d58c2e42@mail.gmail.com> References: <897813410902180125m3b781cc6ocfb4ffa4d0b2575e@mail.gmail.com> <4255c2570902180454n311635e5r8b247810d58c2e42@mail.gmail.com> Date: Wed, 18 Feb 2009 15:04:24 +0100 Message-ID: <897813410902180604s547331bejb6ed6a9d303fa743@mail.gmail.com> Subject: Re: [gentoo-hardened] change /sbin/rc From: =?ISO-8859-1?Q?Javier_J=2E_Mart=EDnez_Cabez=F3n?= To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 7e99e812-6c68-478a-acb4-50e477637b65 X-Archives-Hash: 93e6f56f49ba90d5cc8fbd0fe4465a8a Oh, thanks, I was so blind looking for a way to make it works that I didn't get realize in the possibility to install an rc alternative. I have installed rsbac on my own, but I think that the problem of shell-scripts and capabilities are common to other frameworks as grsecurity or SELinux. So thanks for your help. 2009/2/18 RB : > On Wed, Feb 18, 2009 at 02:25, Javier J. Mart=EDnez Cabez=F3n > wrote: >> Hi, I think that /sbin/rc should be changed from a shell script, the >> reason is that with gentoo hardened, security policies could be done >> removing all linux capabilities to root (and CAP_DAC_OVERRIDE), in my >> setup syslog-ng is launched as user audit (which has CAP_SYS_ADMIN and >> CAP_DAC_OVERRIDE as minimun rsbac capabilities), and between others >> utmp has owner as audit user. Since root has not capabilities this >> file cannot be touched, and chmod at boot. I can't grant to /sbin/rc a >> minimum capability CAP_DAC_OVERRIDE because it doesn't work since it's >> a bash shell-script, and granting it to mv, chmod etc is not a good >> idea as you can suppose :). Could it be done? > > Beyond the fact that rsbac-admin and rsbac-sources have been removed, > there's no reason you can't do this. In my ~ARCH hardened systems > with openrc, /sbin/rc is a binary and not a shell script. > >