> Can they not be limited to 1 well known file in selinux?
No; the kernel doesn't have any idea of particular file names.
OK...I guess that answers it.
But simply creating a directory for each daemon which is labeled by
RPM
installation should work.
OK, this sounds like just changing where a daemon writes the pid file instead of
re-writing the code so fchown isn't called. Good.
> There are only 3 daemons that I can think of that need to be
root:
>sshd, xinetd, crond.
It can be a very significant amount of work to change a daemon to run as
non-root, like dhcpcd.
Right. However, I think in the long term, you want to get as many converted as
possible. That adds 1 more layer of protection just in case someone figures out a
hole in se linux. That's one reason why I was asking if someone's tried to
determine the scale of the problem. Besides programs that spawn others under
various accts, they can usually be converted given time.
There's still the general problem with discretionary access
control here
too - A simple misconfiguration in for one of the daemons before it
drops root privileges could cause it to overwrite the pid file for
another daemon, violating the system security policy.
I haven't seen this, you'd have to code an exploit just for it. But what I do see
is daemons that crash leaving a pid file. Sooner or later a pid will match what's
in the pid file and can be killed by mistake. (root is usually the only one that
can do this.) I don't think this was mentioned so far in this thread. But this is
the real problem that people run across more often wrt pid files, not overwriting
a neighboring one.
I'm not against the proposal. I think it helps. I just want to try to air some of
the details so more people understand what's be proposed.
-Steve Grubb
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail