On Mon, 20 Jan 2003 01:43, Christoph Hellwig wrote: > On Mon, Jan 20, 2003 at 01:39:39AM +0100, Russell Coker wrote: > > > What's the reason you can't just live with DAC for sysctls? > > > > What exactly do you mean by "live with DAC" in this context? If you mean > > "allow UID==0 processes to do whatever they like" then it's not going to > > work for any sort of chroot setup. > > This means check the unix file permissions / ACLs only overriden by > CAP_FOWNER processes. I don't think that would do for my chroot environments. I want to have root owned processes running in a chroot with no ability to escape or to affect the outside environment (and proc is mounted in the chroot). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Jan 19 2003 - 17:06:16 PST