[KLUG Members] Re: New security tool -- Yes!

[Bryan J. Smith]

On Thu, 2002-04-11 at 08:11, Adam Williams wrote:
> I was burrowing through PAM announcements this morning and discovered
> that the capability support in the kernel is now operational.  In the
> past Linux/UNIX services (sendmail, ntp, httpd) have had to start as
> root (setuid) and then shed root privilages in order to bind to a port. 
> Or just run setuid to be able to modify the system clock, etc...  Very
> all or nothing.  Capabilities lets the admin grant specific capabilities
> to a non-privilages process: bind to port below 1024, modify system
> clock, reboot system, adjust process priorities, etc....  This is a big
> step forward, and in conjunction with Kerberos V one should be able to
> construct an almost bullet proof system.  I personally dream of the day
> when the whole concept of "superuser" has faded away.
> ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt
> file:///usr/src/linux/include/linux/capability.h
> http://freshmeat.net/projects/pam_capability/

Thanx dude!
Before, I had been using port forwarding to run services on privaledged
ports (by forwarding to user services on non-privaledged ports).
I'm glad to see this finally happen.

-- Bryan

P.S.  It's also better than the Windows XP approach of just letting
everyone do anything on any socket.  ;-P

-- 
The USDOJ v. Microsoft trial will result in unconditional surrender.
No matter who wins, the consumer will be subject to the victor's
"terms."  Which is worse?  Clueless government or clueless monopoly?
--------------------------------------------------------------------
Bryan J. Smith, SmithConcepts, Inc.        mailto:b.j.smith@ieee.org
Engineers and IT Professionals          http://www.SmithConcepts.com