On Sun, Jun 17, 2001 at 10:42:17PM -0800, Ethan Benson wrote: > you would need to fix filesystem immutability and block device access > as well. currently lcap CAP_LINUX_IMMUTABLE is useless since there > is no way to deny root the ability to write directly to /dev/hda* and > remove the immutable bits (ive written a script to remove chattr +i > and +a even when CAP_LINUX_IMMUTABLE is removed from the bounding set, > no reboot required).
I thought CAP_SYS_RAWIO would take care of that issue? Is is still possible to chattr +i if CAP_SYS_RAWIO is removed? Phil
