Good morning everyone, in the Securing Debian Manual it is described how to remove CAP_LINUX_IMMUTABLE from the system, so that the file attributes 'i' and 'a' can't be change afterwards (until the next reboot) [1]. That doesn't seem to work in recent versions of Debian anymore, because -- if I understand it right -- from Linux 2.6.25 on the capability bounding set changed. Therefore, lcap is removed from Debian, and there is no /proc/sys/kernel/cap-bound anymore.
Can I still archive the same effect with a recent kernel (e.g. 3.2.54)? How would I do that so no process can gain that capability? Or does that section just needs to get removed from the manual? Cheers, Simon [1] https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.17 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/lgjs2g$lh8$1...@online.de
