Iindibano zeprojekthi zilungiselelwe
Siseko
- Ukufakwa kwizahlulo ezi-4 "/", "/ boot", "/ var" kunye "/ ekhaya". Izahlulo "/" kunye ne "/boot" zifakwe kwimowudi yokufunda kuphela, kwaye "/ikhaya" kunye "/var" zifakwe kwimowudi ye-noexec;
- Ipetshi yeKernel CONFIG_SETCAP. Imodyuli yesethingi inokukhubaza ubuchule benkqubo obuchaziweyo okanye ibenzele bonke abasebenzisi. Imodyuli iqwalaselwe ngumsebenzisi ophezulu ngelixa inkqubo isebenza ngojongano lwe sysctl okanye /proc/sys/setcap iifayile kwaye inokukhenkcezwa ekwenzeni utshintsho kude kuqaliswe ngokutsha okulandelayo.
Kwimo yesiqhelo, CAP_CHOWN(0), CAP_DAC_OVERRIDE(1), CAP_DAC_READ_SEARCH(2), CAP_FOWNER(3) kunye 21(CAP_SYS_ADMIN) zikhubaziwe kwisistim. Inkqubo ibuyiselwa kwisimo sayo sesiqhelo kusetyenziswa umyalelo we-tinyware-beforereadmin (ukunyusa kunye nezakhono). Ngokusekwe kwimodyuli, unokuphuhlisa imigangatho ekhuselekileyo yokubopha. - Ipetshi engundoqo PROC_RESTRICT_ACCESS. Olu khetho lunciphisa unikezelo kwi/proc/pid abalawuli kwinkqubo yefayile ye/proc ukusuka ku 555 ukuya ku 750, ngelixa iqela labo bonke abalawuli linikezelwe ukungcambu. Ke, abasebenzisi babona kuphela iinkqubo zabo ngomyalelo we "ps". URoot usabona zonke iinkqubo kwinkqubo.
- CONFIG_FS_ADVANCED_CHOWN kernel patch ukuvumela abasebenzisi abaqhelekileyo ukuba batshintshe ubunini beefayile kunye namacandelo angaphantsi koovimba beefayili zabo.
- Olunye utshintsho kwiisethingi ezihlala zikhona (umz. UMASK usete ku-077).
umthombo: opennet.ru