On Tue, Apr 21, 2015 at 11:36:54AM -0500, Eric W. Biederman wrote: > > HeHeHe. You mean all I need to do to get around all of the logging servers is > capture CAP_SYS_BOOT? Say like just capture this crazy watchdog program > that doesn't run as root so that it can only reboot the system? HeHeHe > So I can just trigger a clean reboot wait for journald, auditd, and > syslog all to shut down and then do evil things to the machine without > having to worry about erasing forensic evidence?
CAP_SYS_BOOT gives you kexec, and kexec with init=/bin/sh lets you do anything. You added that in dc009d92435f99498cbc579ce76bf28e837e2c14 and now the horse is long gone. Don't give CAP_SYS_BOOT to anything you don't trust with full privileges. -- Matthew Garrett | mj...@srcf.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
