Here's my proc acl:
/usr/X11R6/bin/XFree86 {
/ rwx
/var/log/XFree86.0.log rwo
+CAP_SYS_RAWIO
+CAP_SYS_MODULE
}
/usr/sbin/sshd hp {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
+CAP_NET_BIND_SERVICE
}
/usr/bin/ssh {
/ rwx
+CAP_NET_BIND_SERVICE
}
/usr/bin/wine {
/ rwx
+CAP_SYS_RAWIO
}
/usr/bin/wineserver {
/ rwx
+CAP_SYS_RAWIO
}
/usr/bin/cdp {
/ rwx
+CAP_SYS_RAWIO
}
/bin/su {
/ rwx
/etc/shadow ro
}
/bin/login {
/ rwx
/etc/shadow ro
/var/log/lastlog rwo
}
/etc/rc.d/init.d/halt vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_SYS_RAWIO
+CAP_NET_ADMIN
}
/etc/rc.d/rc vk {
/ rwx
+CAP_SYS_ADMIN
+CAP_NET_ADMIN
}
/usr/sbin/httpd {
/ rwx
+CAP_NET_BIND_SERVICE
}
/usr/lib/postfix/master {
/ rwx
+CAP_NET_BIND_SERVICE
}
/usr/sbin/named {
/ rwx
+CAP_NET_BIND_SERVICE
+CAP_SYS_CHROOT
+CAP_SETPCAP
}
/usr/sbin/proftpd {
/ rwx
+CAP_NET_BIND_SERVICE
}
/usr/sbin/xinetd {
/ rwx
+CAP_NET_BIND_SERVICE
}
/usr/local/bin/snort {
/ rwx
/var/log/snort rwo
}
spender's proc acl
5 posts
• Page 1 of 1
spender's proc acl
by spender » Wed Mar 06, 2002 3:15 pm
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Suggestion on suid files
by hytron » Fri May 24, 2002 9:05 am
A good suggestion for everyone would be to use a separate partition that will be mounted RO for suid files. This way, you add some extra security since you cannot modify the contents of suid file. I have a /suid partititon that keeps all of my suids and the permissions look like:
drwx--x--x 3 root root 1024 May 10 09:19 suid/
Note that the permissions for root are rwx but that's only for that directory when it was created. Since ro mount option was used, it remains read-only. This way no one can see names for the suids that you have on the system. Well, some known system programs will have symbolic links (like passwd, sendmail, etc.) to /suid, and others that you don't want to expose will be hidden.
drwx--x--x 3 root root 1024 May 10 09:19 suid/
Note that the permissions for root are rwx but that's only for that directory when it was created. Since ro mount option was used, it remains read-only. This way no one can see names for the suids that you have on the system. Well, some known system programs will have symbolic links (like passwd, sendmail, etc.) to /suid, and others that you don't want to expose will be hidden.
- hytron
- Posts: 7
- Joined: Mon May 20, 2002 2:20 pm
by torne » Thu Aug 22, 2002 8:21 am
The ACL system can already deny the ability to write to any file you like, so you don't need to do this. Just make sure that there is no write access to /bin /sbin /usr/bin /usr/sbin /lib..etc and then no binary can be changed at all, suid or not. =)
- torne
- Posts: 54
- Joined: Mon Aug 12, 2002 12:52 pm
5 posts
• Page 1 of 1