Matthew Gregan <[EMAIL PROTECTED]> writes:
>> but *don't try it*. This turns off capabilities CAP_SYS_MODULE and
>> CAP_SYS_RAWIO, which stops anyone from loading modules, accessing
>> /dev/kmem, using ioperm() or iopl(), and a few other things. You
>> can't change it back without rebooting.
>
> You being "a well behaved uid=0 user".
If the kernel is working properly, then once CAP_SYS_MODULE is
disabled it is impossible for even a badly-behaved uid 0 user to add
capabilities back to cap-bound or to load or unload modules. Without
CAP_SYS_RAWIO, nobody can open /proc/kcore or /dev/mem. Are there any
other ways to stuff around with the running kernel?
--
"Hanging is too good for a man who makes puns; he should be drawn and quoted."
-- Fred Allen
