LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Linux has file-flags too

Linux has file-flags too

Posted May 9, 2004 22:13 UTC (Sun) by sweikart (guest, #4276)
In reply to: Linux has file-flags too by eru
Parent article: OpenBSD 3.5: a peek at another free Unix

> ... the superuser can set or clear [immutable/append-only attributes].

With a Linux kernel, you can prevent clearing these flags by dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set by doing:

  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
And, to make the Linux kernel more secure then the similar OpenBSD setup, you can also drop CAP_SYS_MODULE and CAP_SYS_RAWIO (and similar capabilities). For a good description, see "Fun with the capability bounding set" at
  http://lwn.net/1999/1202/kernel.php3

(Log in to post comments)

Linux has file-flags too

Posted May 9, 2004 22:28 UTC (Sun) by sweikart (guest, #4276) [Link] 

> With a Linux kernel, you can prevent clearing these flags by
> dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set
> by doing:
>
>  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
Oops, I copied this line of code from the LWN article, and forgot to change it to drop CAP_LINUX_IMMUTABLE (the example above drops CAP_SYS_MODULE). To drop CAP_LINUX_IMMUTABLE, do
  echo 0xFFFFFDFF ?> /proc/sys/kernel/cap-bound

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.