User: Password:
|
|
Subscribe / Log in / New account

Linux has file-flags too

Linux has file-flags too

Posted May 9, 2004 22:13 UTC (Sun) by sweikart (guest, #4276)
In reply to: Linux has file-flags too by eru
Parent article: OpenBSD 3.5: a peek at another free Unix

> ... the superuser can set or clear [immutable/append-only attributes].

With a Linux kernel, you can prevent clearing these flags by dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set by doing:

  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
And, to make the Linux kernel more secure then the similar OpenBSD setup, you can also drop CAP_SYS_MODULE and CAP_SYS_RAWIO (and similar capabilities). For a good description, see "Fun with the capability bounding set" at
  http://lwn.net/1999/1202/kernel.php3


(Log in to post comments)

Linux has file-flags too

Posted May 9, 2004 22:28 UTC (Sun) by sweikart (guest, #4276) [Link]

> With a Linux kernel, you can prevent clearing these flags by
> dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set
> by doing:
>
>  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
Oops, I copied this line of code from the LWN article, and forgot to change it to drop CAP_LINUX_IMMUTABLE (the example above drops CAP_SYS_MODULE). To drop CAP_LINUX_IMMUTABLE, do
  echo 0xFFFFFDFF ?> /proc/sys/kernel/cap-bound


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds