Re: Is this mail list dead?

[Andreas Hasenack <andreas@conectiva.com.br>]

Em Tue, Mar 13, 2001 at 02:49:03AM -0300, Rik van Riel escreveu:
> On Mon, 12 Mar 2001, Tracy R Reed wrote:
> > On Tue, Mar 13, 2001 at 12:03:44AM -0300, Rik van Riel wrote:
> > > Is there anything I've forgotten to mention, or are there
> > > other things needed to make Linux distro's more secure without
> > > impacting functionality or ease-of-use ?
> > 
> > Is there really any reason to require programs to be run as root to
> > bind to ports <1024 anymore?
> 
> No. I remember somebody mentioning a wrapper program to be able
> to load eg. named with just CAP_NET_BIND_SERVICE set and no root
> rights.

Currently programs that do that have to rely on themselves to do it
right, that is, bind to the port and drop root privileges.
I think capabilities are really being forgotten. I can only remember
of one program that uses them for security purposes, xntp, and from
a specific distro. It only has the CAP_SYS_TIME capability or something
like that so that it only has privileges to change the system clock.
I'll use it now, of course, for CL7.0.

> This keeps the SUID part down to just this (small) wrapper
> program. Can anybody remember the name ??

I don't, I'm sorry.

> 
> Andreas, could we have this thing in Conectiva when we dig it
> up ? ;)

Sure. But I would rather prefer to have more programs using capabilities,
even if only to find bugs in the capability feature... :)

libcap is already in the distro, let's start linking stuff to it! :)
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/