[rsbac] Programs that drop priviliges
Sven Seeland
sven.seeland at gmx.de
Tue Apr 3 19:50:29 CEST 2007
Hi there,
I already have another question. I think I already know the answer but I want to
be sure. Normally a program isn't allowed to MODIFY_SYSTEM_DATA on the
capabilities SCD. If I have a program that is started as root and then wants to
drop root priviliges I have to grant it the right to MODIFY_SYSTEM_DATA on said
SCD (right?).
If that program then drops the capability to change its capabilities it should
no longer be able to acquire any capabilities, even though it has the right to
MODIFY_SYSTEM_DATA on SCP 22, right?
Just want to be sure because I don't want somebody who manages to hack into my
ntpd to be able to acquire all sorts of root priviliges.
Thanks a lot,
Sven
More information about the rsbac
mailing list