RAW IO general question.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

RAW IO general question.

Postby BoredSpy » Mon Apr 22, 2002 8:47 pm

My concern is that a user obtaining root priviledges could wipe out a filesystem/complete disk. I want to prevent this entirely. What would be the best way to do this without breaking anything critical?

Thanks
BoredSpy
 
Posts: 4
Joined: Mon Apr 22, 2002 6:21 pm

hm

Postby spender » Tue Apr 23, 2002 8:17 am

you can remove the CAP_SYS_RAWIO capability. This would keep someone from writing directly to your block devices. The only binary on most systems that requires cap_sys_rawio is XFree86. You can grant that capability to it with the acl system.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby BoredSpy » Tue Apr 23, 2002 1:50 pm

Thank you very much. Where can I find the "Capabilities" documentation. I've seen mention of the existance of a capabilities document/list but have been entirely unable to locate it.

Thanks again.
BoredSpy
 
Posts: 4
Joined: Mon Apr 22, 2002 6:21 pm

..

Postby spender » Tue Apr 23, 2002 1:52 pm

A full capability listing and description is in /usr/src/linux/include/linux/capability.h

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby BoredSpy » Tue Apr 23, 2002 1:54 pm

Once again, thank you much :)
BoredSpy
 
Posts: 4
Joined: Mon Apr 22, 2002 6:21 pm

Re: hm

Postby BoredSpy » Tue Apr 23, 2002 2:22 pm

Sorry, one last question. I can use gradm -c -CAP_SYS_RAWIO which requires the grsec admin password. Is there a way to deny this capability to all processes at boot time non-interactively?

Sorry to be such a nuisance :p

spender wrote:you can remove the CAP_SYS_RAWIO capability. This would keep someone from writing directly to your block devices. The only binary on most systems that requires cap_sys_rawio is XFree86. You can grant that capability to it with the acl system.
BoredSpy
 
Posts: 4
Joined: Mon Apr 22, 2002 6:21 pm

yea

Postby spender » Tue Apr 23, 2002 2:26 pm

use gradm -I -CAP_SYS_RAWIO

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron