Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 11 Nov 2004 15:40:30 -0800
From: "Anthony D. Urso" <anthonyu@...la.net>
To: owl-users@...ts.openwall.com
Subject: Re: iSEC advisory about binfmt_elf

I have a kernel mod here:

http://killa.net/infosec/acls/

... that allows binaries requiring RAW or PACKET sockets to be setgid
a configurable group instead of being setuid root.

It might save you some effort.

On Thu, Nov 11, 2004 at 08:58:26PM +0300, Solar Designer wrote:
> Yes, this does reduce the impact.  Especially if you ensure there're
> no SUID root binaries; on a default install of Owl (with tcb), it's
> sufficient to do:
> 
> 	control ping wheelonly
> 	control traceroute wheelonly
> 
> There're no other publicly-accessible SUID-roots by default.
> 
> (And we're planning to deal with at least traceroute before the next
> release such that it won't require SUID root anymore.)

-- 
 Au

 PGP Key ID: 0x385B44CB
 Fingerprint: 9E9E B116 DB2C D734 C090  E72F 43A0 95C4 385B 44CB
    "Maximus vero fugiens a quodam Urso, milite Romano, interemptus est"
                                               - Getica 235

Powered by Openwall GNU/*/Linux - Powered by OpenVZ