grsecurity forums


https://forums.grsecurity.net./

RAW IO general question.

https://forums.grsecurity.net./viewtopic.php?f=3&t=47

Page 1 of 1

RAW IO general question.

PostPosted: Mon Apr 22, 2002 8:47 pm
by BoredSpy
My concern is that a user obtaining root priviledges could wipe out a filesystem/complete disk. I want to prevent this entirely. What would be the best way to do this without breaking anything critical?

Thanks

hm

PostPosted: Tue Apr 23, 2002 8:17 am
by spender
you can remove the CAP_SYS_RAWIO capability. This would keep someone from writing directly to your block devices. The only binary on most systems that requires cap_sys_rawio is XFree86. You can grant that capability to it with the acl system.

PostPosted: Tue Apr 23, 2002 1:50 pm
by BoredSpy
Thank you very much. Where can I find the "Capabilities" documentation. I've seen mention of the existance of a capabilities document/list but have been entirely unable to locate it.

Thanks again.

..

PostPosted: Tue Apr 23, 2002 1:52 pm
by spender
A full capability listing and description is in /usr/src/linux/include/linux/capability.h

-Brad

PostPosted: Tue Apr 23, 2002 1:54 pm
by BoredSpy
Once again, thank you much :)

Re: hm

PostPosted: Tue Apr 23, 2002 2:22 pm
by BoredSpy
Sorry, one last question. I can use gradm -c -CAP_SYS_RAWIO which requires the grsec admin password. Is there a way to deny this capability to all processes at boot time non-interactively?

Sorry to be such a nuisance :p

spender wrote:you can remove the CAP_SYS_RAWIO capability. This would keep someone from writing directly to your block devices. The only binary on most systems that requires cap_sys_rawio is XFree86. You can grant that capability to it with the acl system.

yea

PostPosted: Tue Apr 23, 2002 2:26 pm
by spender
use gradm -I -CAP_SYS_RAWIO

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/