I'm still on the /bin/login problem. agetty can run as a unprivileged user with simple write permission on some tty devices, but it needs to run /bin/login with setuid/setgid capabilities. I have only come up with two ideas, and I don't really like either of them.
The first idea is to copy, or hardlink, /bin/login to /sbin/login.caps. /sbin/login.caps has the posix capabilities, and agetty (and sshd, and any other login daemon) would need to be modified to use this login program instead of the one in /bin. /sbin/login.caps would only be executable by the 'login' group. I don't like this because every daemon that excepts to be running as root would need to be modified, and this might be a lot of maintenance (for me), but this is minimal privileges and doesn't require grsecurity for enforcement. Second idea is to give the capabilities to /sbin/agetty, and let /bin/login inherit them. This is more practical, but it means that agetty can run any program with the setuid/setgid capabilities... it's not minimal privilege, but this can be brought to minimal privilege with grsecurity acl's. The most elegant solution is to have filesystem group permissions on security attributes, and from what I read this doesn't exist in any operating system. klogd's dd pipe of /proc/kmsg has a similar problem, but in this case I think it's best, and practical, to hard link /bin/dd to /sbin/klogd-dd, group executable, and continue running it like we already do, except with just the sys_admin capability. This could even run as a dedicated 'klogd-helper' user/group. robert
pgppl77i11HUd.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
