Imihlangano yephrojekthi isilungisiwe
main
- Ukufakwa kuma-partitions angu-4 “/”, “/boot”, “/var” kanye “/home”. Izingxenye ze-“/” kanye “/ne-boot” zifakwe kumodi yokufunda kuphela, futhi “/ikhaya” kanye “/var” afakwe kumodi ye-noexec;
- Ipheshi ye-Kernel CONFIG_SETCAP. Imojuli ye-setcap ingakhubaza amakhono esistimu acacisiwe noma iwanike amandla kubo bonke abasebenzisi. Imojula ilungiswa umsebenzisi omkhulu ngenkathi isistimu isebenza ngesixhumi esibonakalayo se-sysctl noma /proc/sys/setcap amafayela futhi ingafrizwa ekwenzeni izinguquko kuze kuqaliswe kabusha okulandelayo.
Kumodi evamile, CAP_CHOWN(0), CAP_DAC_OVERRIDE(1), CAP_DAC_READ_SEARCH(2), CAP_FOWNER(3) kanye no-21(CAP_SYS_ADMIN) akhutshaziwe ohlelweni. Uhlelo lubuyiselwa esimweni salo esijwayelekile kusetshenziswa umyalo we-tinyware-beforereadmin (ukukhweza namandla). Ngokusekelwe kumojula, ungathuthukisa ihhanisi lamazinga avikelekile. - Isipeshi esiyinhloko PROC_RESTRICT_ACCESS. Le nketho ikhawulela ukufinyelela kunkhombandlela /proc/pid kusistimu yefayela le-proc ukusuka ku-555 kuya ku-750, kuyilapho iqembu lazo zonke izinkomba labelwe ukuzimpande. Ngakho-ke, abasebenzisi babona izinqubo zabo kuphela ngomyalo othi "ps". U-Root usabona zonke izinqubo ohlelweni.
- CONFIG_FS_ADVANCED_CHOWN kernel patch ukuvumela abasebenzisi abajwayelekile ukuthi bashintshe ubunikazi bamafayela neziqondiso ezingaphansi kwemibhalo yabo.
- Ezinye izinguquko ezilungiselelweni ezimisiwe (isb. UMASK isethwe ku-077).
Source: opennet.ru