grsecurity forums

by **BoredSpy** » Mon Apr 22, 2002 8:47 pm

My concern is that a user obtaining root priviledges could wipe out a filesystem/complete disk. I want to prevent this entirely. What would be the best way to do this without breaking anything critical?

Thanks

by **spender** » Tue Apr 23, 2002 8:17 am

you can remove the CAP_SYS_RAWIO capability. This would keep someone from writing directly to your block devices. The only binary on most systems that requires cap_sys_rawio is XFree86. You can grant that capability to it with the acl system.

by **BoredSpy** » Tue Apr 23, 2002 1:50 pm

Thank you very much. Where can I find the "Capabilities" documentation. I've seen mention of the existance of a capabilities document/list but have been entirely unable to locate it.

Thanks again.

by **spender** » Tue Apr 23, 2002 1:52 pm

A full capability listing and description is in /usr/src/linux/include/linux/capability.h

-Brad

by **BoredSpy** » Tue Apr 23, 2002 1:54 pm

Once again, thank you much

by **BoredSpy** » Tue Apr 23, 2002 2:22 pm

Sorry, one last question. I can use gradm -c -CAP_SYS_RAWIO which requires the grsec admin password. Is there a way to deny this capability to all processes at boot time non-interactively?

Sorry to be such a nuisance :p

spender wrote:you can remove the CAP_SYS_RAWIO capability. This would keep someone from writing directly to your block devices. The only binary on most systems that requires cap_sys_rawio is XFree86. You can grant that capability to it with the acl system.

by **spender** » Tue Apr 23, 2002 2:26 pm

use gradm -I -CAP_SYS_RAWIO

-Brad

grsecurity forums

RAW IO general question.

RAW IO general question.

hm

..

Re: hm

yea