[Nottingham] Linux (POSIX) capabilities attributes

VM vadim+NLUG at mankevich.co.uk
Thu May 18 08:09:23 UTC 2017


On 17 May 2017 17:40:12 BST, Martin via Nottingham <nottingham at mailman.lug.org.uk> wrote:
>Folks,
>
>Quick security question:
>
>
>Does anyone (bother) to use the Linux (POSIX) capabilities attributes
>for securing/restricting (system/admin/user) utilities ?
>
>Or is it SELinux all the way?
>
>Or is it just hope and prey? (Deliberate pun there :-P )
>
>
>Cheers,
>Martin
>
>
>-- 
>- ╔═══════════════════╦══════════════════════════════════════════╗
>- ║   Martin Lomas    ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
>- ║ martin@ ml1 co uk ║ Import from   hkp://subkeys.pgp.net   or ║
>- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
>- ╚═══════════════════╩══════════════════════════════════════════╝
>
>-- 
>Nottingham mailing list
>Nottingham at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/nottingham

Do you run untrusted software as uid 0 or make suid executables writable by world? :))) restricting capabilities makes sense for privileged containers that are exposed to untrusted networks and devices. I prefer unprivileged containers so don't have to use capabilities.
--
vadim at mankevich.co.uk PGP key fingerprint
0xC046022A3A91455AF0C9BB2404BF882B1905C772
Retrieve from hkps://pgp.mit.edu



More information about the Nottingham mailing list