From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1N9jU3-0007T7-VK for garchives@archives.gentoo.org; Sun, 15 Nov 2009 18:05:59 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9AA55E0B95 for ; Sun, 15 Nov 2009 18:05:55 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.145]) by pigeon.gentoo.org (Postfix) with ESMTP id 78F09E003C for ; Sun, 15 Nov 2009 16:13:29 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 3so1361435eyh.40 for ; Sun, 15 Nov 2009 08:13:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=lNKCLAgBC3LIt4o2jHEbOPJYkCIvv3Mile9h3CZPpNA=; b=qpJtTM9rrQz6UhhlaJ+9QnzlU7RIgOY3fZ9ohjOautca4txoRi/f/52y1szxg1bWuw 97XOV8WPZK0Bffj44dJoP/c+iV4gr1/ge/2xVRXcyWzlmrGR8rzTIYM+ijBfHhkqaVVJ hwXCXDhmIq53H1D74JwKrquEHsp9rRolt/g4c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; b=q++zNEXZft8X6LGte3GmFD00MH0FDXVZ/4oR9tz1FVbRRX/0P4wufsGjbWJEBrWT+V ijJZvoipJytm8RaqI80vM7CAYzjSGLPGkkoou0W8bit6Q2vihwmQxPXLNVOw2venX/9L rxy+b3BtN/iyih94e6/tDabnBkPpN65V3Udrc= Received: by 10.213.45.144 with SMTP id e16mr1467985ebf.99.1258301608946; Sun, 15 Nov 2009 08:13:28 -0800 (PST) Received: from nazgul.localnet (196-210-153-114-rrdg-esr-2.dynamic.isadsl.co.za [196.210.153.114]) by mx.google.com with ESMTPS id 7sm4098129eyb.24.2009.11.15.08.13.27 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 15 Nov 2009 08:13:28 -0800 (PST) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Block root user from login on xorg GUI Date: Sun, 15 Nov 2009 18:12:21 +0200 User-Agent: KMail/1.12.90 (Linux/2.6.31-zen7; KDE/4.3.74; x86_64; ; ) References: <200911122001.57860.michaelkintzios@gmail.com> <200911151022.25803.dirk.heinrichs@online.de> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200911151812.21135.alan.mckinnon@gmail.com> X-Archives-Salt: d99fdffc-d9b0-480b-a183-af82d4db95ec X-Archives-Hash: aa5aed376edc37a3e6dab668da6bf054 On Sunday 15 November 2009 16:40:48 Nikos Chantziaras wrote: > On 11/15/2009 11:22 AM, Dirk Heinrichs wrote: > > SELinux allows to spread the tasks root needs to do or can do accross > > several roles. Of course, if only one single person has root access to > > the system this doesn't make sense. But we're talking about cases where > > several people (incl. the malicious attacker) have root access. So you > > can very well configure a (SE-)Linux system so that "root" can't do > > everything. > > So how do you get your machine back if you forbid yourself to change its > configuration then? reboot|power down|pull power plug out|whatever and edit kernel config line to not laod selinux -- alan dot mckinnon at gmail dot com