robert at linuxfromscratch.org
Wed Nov 5 18:28:48 PST 2008
I'm still on the /bin/login problem.
agetty can run as a unprivileged user with simple write permission on some tty
devices, but it needs to run /bin/login with setuid/setgid capabilities. I
have only come up with two ideas, and I don't really like either of them.
The first idea is to copy, or hardlink, /bin/login
to /sbin/login.caps. /sbin/login.caps has the posix capabilities, and agetty
(and sshd, and any other login daemon) would need to be modified to use this
login program instead of the one in /bin. /sbin/login.caps would only be
executable by the 'login' group. I don't like this because every daemon that
excepts to be running as root would need to be modified, and this might be a
lot of maintenance (for me), but this is minimal privileges and doesn't
require grsecurity for enforcement.
Second idea is to give the capabilities to /sbin/agetty, and let /bin/login
inherit them. This is more practical, but it means that agetty can run any
program with the setuid/setgid capabilities... it's not minimal privilege,
but this can be brought to minimal privilege with grsecurity acl's.
The most elegant solution is to have filesystem group permissions on security
attributes, and from what I read this doesn't exist in any operating system.
klogd's dd pipe of /proc/kmsg has a similar problem, but in this case I think
it's best, and practical, to hard link /bin/dd to /sbin/klogd-dd, group
executable, and continue running it like we already do, except with just the
sys_admin capability. This could even run as a dedicated 'klogd-helper'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the hlfs-dev