[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041111234030.GX16013@killa.net>
Date: Thu, 11 Nov 2004 15:40:30 -0800
From: "Anthony D. Urso" <anthonyu@...la.net>
To: owl-users@...ts.openwall.com
Subject: Re: iSEC advisory about binfmt_elf
I have a kernel mod here:
http://killa.net/infosec/acls/
... that allows binaries requiring RAW or PACKET sockets to be setgid
a configurable group instead of being setuid root.
It might save you some effort.
On Thu, Nov 11, 2004 at 08:58:26PM +0300, Solar Designer wrote:
> Yes, this does reduce the impact. Especially if you ensure there're
> no SUID root binaries; on a default install of Owl (with tcb), it's
> sufficient to do:
>
> control ping wheelonly
> control traceroute wheelonly
>
> There're no other publicly-accessible SUID-roots by default.
>
> (And we're planning to deal with at least traceroute before the next
> release such that it won't require SUID root anymore.)
--
Au
PGP Key ID: 0x385B44CB
Fingerprint: 9E9E B116 DB2C D734 C090 E72F 43A0 95C4 385B 44CB
"Maximus vero fugiens a quodam Urso, milite Romano, interemptus est"
- Getica 235
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
