> You *still* have doubts about that after you got hacked via a > privilege escalation exploit!? Come On.
[ Much chatter about pros/cons of selinux deleted ] It seems like such a simple idea to me, but couldn't you run your daemon in a chroot jail? Since it was a bitcoind process, perhaps you could have started it in /var/bitcoin and chroot to that directory. Since there absolutely no way to disable UID 0 (you can disable "root" but UID 0 is there for good) this seems to me to be an acceptable compromise until you can figure out exactly how to make bitcoind and selinux play nice. Now maybe there's a reason why you can't use chroot. If so, then fine. But that's what I'd have done myself. On Fri, Feb 7, 2014 at 12:08 PM, Andy Bradford <[email protected]>wrote: > Thus said Michael Torrie on Thu, 06 Feb 2014 23:34:08 -0700: > > > It's my understanding that once you have root in a chroot you can > > escape the chroot quite easily. Am I wrong about this? > > You're right. Don't put SUID binaries in the chroot. > > Andy > -- > TAI64 timestamp: 4000000052f47f78 > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
