tcpdump mailing list archives
Re: [PATCH] Drop unneeded capabilities
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Thu, 24 Jun 2004 12:37:18 -0400
-----BEGIN PGP SIGNED MESSAGE-----
"Pekka" == Pekka Savola <pekkas () netcore fi> writes:
Pekka> Have you checked the code in the CVS? It already includes a Pekka> "droproot" option. Pekka> Yours is slightly different, though, as it uses Pekka> (Linux-specific?) capabilities. I'm not sure if it's Pekka> necessary when we already drop the root privileges. Yes, they are Linux specific. We should have a file: droppriv-FOO.c and put all relevant instructions there. Dropping things like the ability to call connect(2) means that an attacker can't get out again, even if they are non-root. - -- ] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQNsDPYqHRg3pndX9AQFj2wP8CCMkwEc/EwgyAKGhXS8IoQzQjmI/pwf7 6ZDZ5+DBnbdHFAgc0qADP5RMFNYn12NwUWavCnz5umbEapPs4SULJupc2GCNjk0F HCNsN/81AzC23BT1R4Q9FEq+P76RT7UvBtoR0/UY4okq8lFOl0Zn6CLfQkwzSK2F vd+n0pozSbg= =vVaN -----END PGP SIGNATURE----- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- [PATCH] Drop unneeded capabilities Matt Beaumont (Jun 23)
- Re: [PATCH] Drop unneeded capabilities Pekka Savola (Jun 23)
- Re: [PATCH] Drop unneeded capabilities Jefferson Ogata (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Michael Richardson (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Jefferson Ogata (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Pekka Savola (Jun 23)