|
Message-ID: <20041111234030.GX16013@killa.net> Date: Thu, 11 Nov 2004 15:40:30 -0800 From: "Anthony D. Urso" <anthonyu@...la.net> To: owl-users@...ts.openwall.com Subject: Re: iSEC advisory about binfmt_elf I have a kernel mod here: http://killa.net/infosec/acls/ ... that allows binaries requiring RAW or PACKET sockets to be setgid a configurable group instead of being setuid root. It might save you some effort. On Thu, Nov 11, 2004 at 08:58:26PM +0300, Solar Designer wrote: > Yes, this does reduce the impact. Especially if you ensure there're > no SUID root binaries; on a default install of Owl (with tcb), it's > sufficient to do: > > control ping wheelonly > control traceroute wheelonly > > There're no other publicly-accessible SUID-roots by default. > > (And we're planning to deal with at least traceroute before the next > release such that it won't require SUID root anymore.) -- Au PGP Key ID: 0x385B44CB Fingerprint: 9E9E B116 DB2C D734 C090 E72F 43A0 95C4 385B 44CB "Maximus vero fugiens a quodam Urso, milite Romano, interemptus est" - Getica 235
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.