On Wed, Aug 13, 2003 at 04:02:41PM -0400, Colin Walters wrote: > Why? Because SELinux doesn't solely associate security with executable > pathnames. If someone takes over control of the apache process via a > buffer overflow or whatever, they don't need /bin/ls to list a > directory; they can just as easily use the opendir/readdir/stat system > calls. Likewise, they don't need /bin/mount to mount filesystems; they > can just as easily use the mount syscalls. > > So the whole grsecurity ACL system seems very weak in that respect. grsec handles this by allowing you to restrict Linux capabilities for a process. For example, there's no reason /usr/sbin/apache should have access to CAP_SYS_ADMIN (allows mount/umount, amongst other things) or CAP_SYS_PTRACE (run ptrace) or many others.
Anyway, since grsec uses PaX, it's very unlikely that anyone will "take control" of apache through a buffer overflow. ;-)
