Re: root access to block disk devices

From: steve <steve@clublinux.org>
Subject: Re: root access to block disk devices
Date: Sun, 15 Jul 2001 20:53:24 -0500

Next Article (by Subject): Re: root access to block disk devices Arkady A Drovosekov
Previous Article (by Subject): root access to block disk devices steve
Top of Thread: root access to block disk devices steve
Next in Thread: Re: root access to block disk devices Arkady A Drovosekov
Articles sorted by: [Date] [Author] [Subject] 

Hello?  Is anyone listening? :-)
	
I figured out how to prevent root from accessing your disks through the
devices.   What was holding me up is that I was removing the rights from
the device for root, but root was still getting access from Group 0
(everyone).  Once I removed rights from that group, root could no longer
access the information on disk using the devices (e.g. /dev/sda,
/dev/sda1, etc.)

Maybe this is old news, but I couldn't find reference to it in the
archives.

Cheers!
Steve


steve wrote:
> 
> Hi,
>         I'm trying to prevent root from accessing my disk devices directly.
> Using ACLs, I've been successful in preventing root from doing an 'ls -l
> /dev/sda' (not what I really want), but 'strings /dev/sda' still works.
> I would like to prevent root from reading/writing directly to any
> /dev/sda* file.
>         I've modified the inherit masks on /dev/sda for both FD and DEV targets
> and removed all access.  This still doesn't prevent root from reading
> /dev/sda directly.
> 
> What am I missing?
> 
> I've discovered that root can't read /dev/mem or /dev/kmem.  How are
> these protections being setup?
> 
> I'm using the rsbac_menu for configuration.  Are all necessary options
> for ACLs, FF, AUTH, and RC available through the menu?   Maybe that's my
> problem.
> 
> Thanks in advance,
> Steve
> -
> To unsubscribe from the rsbac list, send a mail to
> majordomo@rsbac.org with
> unsubscribe rsbac
> as single line in the body.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): Re: root access to block disk devices Arkady A Drovosekov
Previous Article (by Subject): root access to block disk devices steve
Top of Thread: root access to block disk devices steve
Next in Thread: Re: root access to block disk devices Arkady A Drovosekov
Articles sorted by: [Date] [Author] [Subject]

Go to Compuniverse LWGate Home Page.