Hello,
I would like to create a "mini-root" role in which it can do all things but:
1) alter files under /var/log
2) unable to alter grsecurity
Is something like this possible?
If so could you point me in the right direction to create the role? Just looking for an example.
Thanks,
CM
Creating a mini-root role
2 posts
• Page 1 of 1
Creating a mini-root role
by chaoticmachinery » Thu Apr 08, 2010 4:58 pm
- chaoticmachinery
- Posts: 1
- Joined: Thu Apr 08, 2010 4:51 pm
Re: Creating a mini-root role
by spender » Thu Apr 08, 2010 6:17 pm
It's not possible if you really mean "do all things." The problem is that even ignoring the problem of kernel exploits, unless you restrict this role considerably, it ends up being equivalent to full root, and thus able to alter grsecurity and edit /var/log. One simple example (though there are dozens or hundreds more): CAP_SYS_MODULE. With this capability, you have arbitrary code execution in the kernel, and so can disable/alter grsecurity, give yourself permission to alter any file, give yourself any of the other capabilities, etc.
So without considerable restriction (like the kinds of restrictions that the RBAC system enforces on non-special roles by default) such a role would almost entirely create a false sense of security.
-Brad
So without considerable restriction (like the kinds of restrictions that the RBAC system enforces on non-special roles by default) such a role would almost entirely create a false sense of security.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
2 posts
• Page 1 of 1