A kwadobela mgbakọ mmemme
Main
- Ntinye na akụkụ 4 "/", "/ buut", "/var" na "/ụlọ". A na-etinye akụkụ "/" na "/ buut" na ọnọdụ ọgụgụ naanị, na "/ home" na "/ var" na-agbanye na ọnọdụ noexec;
- Kernel patch CONFIG_SETCAP. Modul setcap nwere ike gbanyụọ ikike sistemụ akọwapụtara ma ọ bụ mee ka ha nwee ike maka ndị ọrụ niile. A na-ahazi modul ahụ site na superuser mgbe sistemụ na-agba ọsọ site na interface sysctl ma ọ bụ / proc/sys/setcap faịlụ ma nwee ike ịjụ oyi site na ime mgbanwe ruo mgbe ịmaliteghachi ọzọ.
Na ọnọdụ nkịtị, CAP_CHOWN(0), CAP_DAC_OVERRIDE(1), CAP_DAC_READ_SEARCH(2), CAP_FOWNER(3) na 21(CAP_SYS_ADMIN) nwere nkwarụ na sistemụ. A na-eweghachi sistemu ahụ n'ọnọdụ nkịtị ya site na iji tinyware-beforeadmin iwu (ịkwalite na ike). Dabere na modul ahụ, ị nwere ike wulite njigide nchekwa larịị. - Isi patch PROC_RESTRICT_ACCESS. Nhọrọ a na-egbochi ohere ịnweta / proc/pid directories na / proc faịlụ site na 555 ruo 750, ebe a na-ekenye otu akwụkwọ ndekọ aha niile ka mgbọrọgwụ. Ya mere, ndị ọrụ na-ahụ naanị usoro ha na iwu "ps". Mgbọrọgwụ ka na-ahụ usoro niile na sistemụ.
- CONFIG_FS_ADVANCED_CHOWN kernel patch iji mee ka ndị ọrụ oge niile gbanwee ikike nke faịlụ na akwụkwọ ndekọ aha n'ime akwụkwọ ndekọ aha ha.
- Mgbanwe ụfọdụ na ntọala ndabara (dịka UMASK ka atọrọ na 077).
isi: opennet.ru