On Mon, 2007-07-30 at 21:10 -0400, James Strandboge wrote: > Remember you can use capabilities to prevent loading of modules, so you > can prevent those buggy drivers from loading at all. See: > > man capabilities > man lcap (lcap is in universe) > http://www.debian.org/doc/manuals/securing-debian-howto/securing-debian-howto.en.txt > (section 10.4.2.1)
I meant to also add: http://www.linuxjournal.com/article/5737 Also, in case you aren't aware, if removing CAP_SYS_MODULE, be sure to do it *after* removing all other capabilities. Removing CAP_SYS_MODULE removes access to /proc/sys/kernel/cap-bound (permission denied), and you will thereafter not be able to adjust your capabilities any further (until reboot that is). Jamie Strandboge -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
