#7562 NORM 8.2.0 (: Reducing root's capabilities.
Zarro Boogs per Child
bugtracker at laptop.org
Fri Jul 18 14:20:16 EDT 2008
#7562: Reducing root's capabilities.
-------------------------+--------------------------------------------------
Reporter: cscott | Owner: cscott
Type: defect | Status: new
Priority: normal | Milestone: 8.2.0 (was Update.2)
Component: security | Version: not specified
Resolution: | Keywords:
Next_action: never set | Verified: 0
Blockedby: | Blocking: 7397
-------------------------+--------------------------------------------------
Changes (by cscott):
* cc: dsaxena (added)
Comment:
Some of the capabilities that would need to be dropped:
{{{
CAP_SYS_TIME (maybe a narrower cap would be useful)
CAP_SYS_RAWIO (to prevent working around CAP_SYS_TIME)
CAP_SYS_MODULE (to avoid rewriting the kernel)
CAP_SYS_BOOT (to disable kexec_load)
}}}
I don't have high confidence that this list is complete: it may be
possible to use other root capabilities to work around the lack of the
above capabilities. Hard Thinking required. But the above would be a
start.
Note that removing CAP_SYS_RAWIO will probably break X, and removing
CAP_SYS_BOOT may disable reboot (unless we work around it by asking the
EC).
--
Ticket URL: <http://dev.laptop.org/ticket/7562#comment:1>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system
More information about the Bugs
mailing list