1Overview 2-------- 3 4As of Linux 2.2.0, the power of the superuser has been partitioned 5into a set of discrete capabilities (in other places, these 6capabilities are know as privileges). 7 8The contents of the libcap package are a library and a number of 9simple programs that are intended to show how an application/daemon 10can be protected (with wrappers) or rewritten to take advantage of 11this fine grained approach to constraining the danger to your system 12from programs running as 'root'. 13 14Notes on securing your system 15----------------------------- 16 17Adopting a role approach to system security: 18 19changing all of the system binaries and directories to be owned by 20some user that cannot log on. You might like to create a user with 21the name 'system' who's account is locked with a '*' password. This 22user can be made the owner of all of the system directories on your 23system and critical system binaries too. 24 25Why is this a good idea? In a simple case, the CAP_FUSER capabilty is 26required for the superuser to delete files owned by a non-root user in 27a 'sticky-bit' protected non-root owned directory. Thus, the sticky 28bit can help you protect the /lib/ directory from an compromized 29daemon where the directory and the files it contains are owned by the 30system user. It can be protected by using a wrapper like execcap to 31ensure that the daemon is not running with the CAP_FUSER capability... 32 33 34Limiting the damage: 35 36If your daemon only needs to be setuid-root in order to bind to a low 37numbered port. You should restrict it to only having access to the 38CAP_NET_BIND_SERVICE capability. Coupled with not having any files on 39the system owned by root, it becomes significantly harder for such a 40daemon to damage your system. 41 42Note, you should think of this kind of trick as making things harder 43for a potential attacker to exploit a hole in a daemon of this 44type. Being able to bind to any privileged port is still a formidable 45privilege and can lead to difficult but 'interesting' man in the 46middle attacks -- hijack the telnet port for example and masquerade as 47the login program... Collecting passwords for another day. 48 49 50The /proc/ filesystem: 51 52This Linux-specific directory tree holds most of the state of the 53system in a form that can sometimes be manipulated by file 54read/writes. Take care to ensure that the filesystem is not mounted 55with uid=0, since root (with no capabilities) would still be able to 56read sensitive files in the /proc/ tree - kcore for example. 57 58[Patch is available for 2.2.1 - I just wrote it!] 59