Magungano epurojekiti akagadzirwa
chikuru
- Kuiswa pazvikamu zvina "/", "/ boot", "/ var" uye "/ kumba". Iyo "/" uye "/ boot" zvikamu zvakaiswa mukuverenga-chete modhi, uye "/ kumba" uye "/ var" akaiswa mu noexec mode;
- Kernel chigamba CONFIG_SETCAP. Iyo setcap module inogona kudzima yakatsanangurwa system kugona kana kuvagonesa kune vese vashandisi. Iyo module inogadziriswa neiyo superuser apo sisitimu iri kushanda kuburikidza neiyo sysctl interface kana / proc/sys/setcap mafaera uye inogona kuomeswa nechando kubva pakuita shanduko kusvika inotevera reboot.
Mune zvakajairika, CAP_CHOWN(0), CAP_DAC_OVERRIDE(1), CAP_DAC_READ_SEARCH(2), CAP_FOWNER(3) uye 21(CAP_SYS_ADMIN) yakadzimwa muchirongwa. Iyo sisitimu inodzoserwa kune yakajairika mamiriro uchishandisa iyo tinyware-beforereadmin command (kukwira uye kugona). Zvichienderana nemodule, iwe unogona kugadzira iyo yakachengeteka level harness. - Chigamba chikuru PROC_RESTRICT_ACCESS. Iyi sarudzo inomisa kupinda kune / proc/pid madhairekitori mu/proc faira system kubva pa555 kusvika 750, nepo boka remadhairekitori ese rakapihwa kumidzi. Naizvozvo, vashandisi vanongoona maitiro avo ne "ps" murairo. Root achiri kuona maitiro ese ari muhurongwa.
- CONFIG_FS_ADVANCED_CHOWN kernel patch kubvumira vashandisi venguva dzose kuchinja varidzi vemafaira uye subdirectories mukati medhairekitori yavo.
- Dzimwe shanduko kumaseting ekutanga (semuenzaniso UMASK yakaiswa ku077).
Source: opennet.ru