[rsbac] Programs that drop priviliges

Sven Seeland sven.seeland at gmx.de
Tue Apr 3 19:50:29 CEST 2007


Hi there,

I already have another question. I think I already know the answer but I want to 
be sure. Normally a program isn't allowed to MODIFY_SYSTEM_DATA on the 
capabilities SCD. If I have a program that is started as root and then wants to 
drop root priviliges I have to grant it the right to MODIFY_SYSTEM_DATA on said 
SCD (right?).
If that program then drops the capability to change its capabilities it should 
no longer be able to acquire any capabilities, even though it has the right to 
MODIFY_SYSTEM_DATA on SCP 22, right?

Just want to be sure because I don't want somebody who manages to hack into my 
ntpd to be able to acquire all sorts of root priviliges.

Thanks a lot,

Sven


More information about the rsbac mailing list