#7562 NORM 8.2.0 (: Reducing root's capabilities.

Zarro Boogs per Child bugtracker at laptop.org
Fri Jul 18 14:20:16 EDT 2008

#7562: Reducing root's capabilities.
   Reporter:  cscott     |       Owner:  cscott              
       Type:  defect     |      Status:  new                 
   Priority:  normal     |   Milestone:  8.2.0 (was Update.2)
  Component:  security   |     Version:  not specified       
 Resolution:             |    Keywords:                      
Next_action:  never set  |    Verified:  0                   
  Blockedby:             |    Blocking:  7397                
Changes (by cscott):

 * cc: dsaxena (added)


 Some of the capabilities that would need to be dropped:
 CAP_SYS_TIME (maybe a narrower cap would be useful)
 CAP_SYS_RAWIO (to prevent working around CAP_SYS_TIME)
 CAP_SYS_MODULE (to avoid rewriting the kernel)
 CAP_SYS_BOOT (to disable kexec_load)
 I don't have high confidence that this list is complete: it may be
 possible to use other root capabilities to work around the lack of the
 above capabilities.  Hard Thinking required.  But the above would be a

 Note that removing CAP_SYS_RAWIO will probably break X, and removing
 CAP_SYS_BOOT may disable reboot (unless we work around it by asking the

Ticket URL: <http://dev.laptop.org/ticket/7562#comment:1>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system

More information about the Bugs mailing list