gradm

Robert Connolly robert at linuxfromscratch.org
Wed Nov 5 20:18:04 PST 2008


On Wednesday November 5 2008 09:28:48 pm Robert Connolly wrote:
> The first idea is to copy, or hardlink, /bin/login
> to /sbin/login.caps. /sbin/login.caps has the posix capabilities, and
> agetty (and sshd, and any other login daemon) would need to be modified to
> use this login program instead of the one in /bin. /sbin/login.caps would
> only be executable by the 'login' group. I don't like this because every
> daemon that excepts to be running as root would need to be modified, and
> this might be a lot of maintenance (for me), but this is minimal privileges
> and doesn't require grsecurity for enforcement.

This may not be so bad. Both agetty and sshd have reasonable ways of modifying 
the path for /bin/login. With agetty it can be changed at run time with 
the '-l' option, or hard coded as the default in util-linux-ng 
include/pathnames.h. OpenSSH uses pathnames.h.

/bin/su complicates things too. /bin/su would need to sgid 'login', and 
use /sbin/login.caps, to use the --login option. /bin/su and /bin/login would 
have some duplicate capabilities. And I don't see where Shadow-utils hard 
codes /bin/login (yet).. it may use $PATH.

I don't know if it would end here, or if many other packages would need 
modifying.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20081105/5111ca12/attachment.sig>


More information about the hlfs-dev mailing list