On Thu, 14 Aug 2003 at 08:22:37PM -0400, Colin Walters wrote: > On Wed, 2003-08-13 at 21:00, valerian wrote: > > > Well capabilities are only one of the things that grsec implements. You > > can also restrict a process to access various parts of the filesystem. > > There's no reason /usr/sbin/apache should have write access to /etc, so > > you just don't allow it. > > Right, but we were discussing the scenario where the attacker is able to > execute another program, such as /bin/sh. In that case all is lost, > because the security is only associated with the executable pathname.
With grsecurity ACLs can be inherited (from a parent process) and over-ridden... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #101: User to computer ratio too high. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
