tcpdump mailing list archives
Re: [PATCH] Drop unneeded capabilities
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Thu, 24 Jun 2004 12:37:18 -0400
-----BEGIN PGP SIGNED MESSAGE-----
"Pekka" == Pekka Savola <pekkas () netcore fi> writes:
Pekka> Have you checked the code in the CVS? It already includes a
Pekka> "droproot" option.
Pekka> Yours is slightly different, though, as it uses
Pekka> (Linux-specific?) capabilities. I'm not sure if it's
Pekka> necessary when we already drop the root privileges.
Yes, they are Linux specific.
We should have a file:
droppriv-FOO.c
and put all relevant instructions there.
Dropping things like the ability to call connect(2) means that an
attacker can't get out again, even if they are non-root.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQNsDPYqHRg3pndX9AQFj2wP8CCMkwEc/EwgyAKGhXS8IoQzQjmI/pwf7
6ZDZ5+DBnbdHFAgc0qADP5RMFNYn12NwUWavCnz5umbEapPs4SULJupc2GCNjk0F
HCNsN/81AzC23BT1R4Q9FEq+P76RT7UvBtoR0/UY4okq8lFOl0Zn6CLfQkwzSK2F
vd+n0pozSbg=
=vVaN
-----END PGP SIGNATURE-----
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- [PATCH] Drop unneeded capabilities Matt Beaumont (Jun 23)
- Re: [PATCH] Drop unneeded capabilities Pekka Savola (Jun 23)
- Re: [PATCH] Drop unneeded capabilities Jefferson Ogata (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Michael Richardson (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Jefferson Ogata (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Pekka Savola (Jun 23)