On Sat, Jul 22, 2000 at 11:40:37PM +0100, James Sutherland wrote:
> > It's IMPOSSIBLE as long as "root is god". And if root was retired from gods
> > via /proc/sys/kernel/cap-bound it's impossible at all and you do not need
> > this patch for that.
>
> So long as not having CAP_DESTROY_HARDWARE prevents this, and
> CAP_DESTROY_HARDWARE isn't available to anything by default, that's OK.
It's no good to have any capability other than CAP_SYS_RAWIO protect us
from direct talking to the drives via IOCTLs, because only after
switching this one off we can't do so by other means as well.
CAP_DESTROY_HARDWARE would be superfluous, you'd need to disable that,
*and* CAP_SYS_RAWIO as well to protect yourself from the damage.
Also, CAP_SYS_RAWIO is the exact capability meant for this type of
stuff.
-- Vojtech Pavlik SuSE Labs- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jul 23 2000 - 21:00:20 EST