generated from sig_core/wiki-template
Merge pull request 'Add packages/control.md' (#17) from solardiz-patch-15 into main
All checks were successful
mkdocs build / build (push) Successful in 29s
All checks were successful
mkdocs build / build (push) Successful in 29s
Reviewed-on: #17 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
af432a5b33
@ -35,11 +35,12 @@ This isn't as secure as checking the package signature would be _if_ you previou
|
|||||||
### Extra packages (for EL8 and EL9)
|
### Extra packages (for EL8 and EL9)
|
||||||
|
|
||||||
- [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard)
|
- [lkrg](packages/lkrg.md) (Linux Kernel Runtime Guard)
|
||||||
- [passwdqc](packages/passwdqc.md) (Password/passphrase strength checking and policy enforcement)
|
- [passwdqc](packages/passwdqc.md) (password/passphrase strength checking and policy enforcement)
|
||||||
|
|
||||||
### Extra packages (currently only for EL9)
|
### Extra packages (currently only for EL9)
|
||||||
|
|
||||||
- [hardened_malloc](packages/hardened_malloc.md) (Security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries)
|
- [control](packages/control.md) (a common interface to register and control security-relevant system facilities)
|
||||||
|
- [hardened_malloc](packages/hardened_malloc.md) (security-focused memory allocator providing the malloc API, and a script to preload it into existing program binaries)
|
||||||
|
|
||||||
### Override packages (for EL8 and EL9)
|
### Override packages (for EL8 and EL9)
|
||||||
|
|
||||||
|
37
docs/packages/control.md
Normal file
37
docs/packages/control.md
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
# Extra package: control
|
||||||
|
|
||||||
|
## EL9
|
||||||
|
|
||||||
|
- Version `0.8.0-2.el9_3.security`
|
||||||
|
|
||||||
|
### Package summary
|
||||||
|
|
||||||
|
`control` provides a common interface to register and control (what it calls) system facilities.
|
||||||
|
This is intended primarily for facilities that can potentially be dangerous to system security, to let you enable, disable, or configure each facility.
|
||||||
|
A typical facility is a SUID/SGID/setcap program or a configuration setting of a service.
|
||||||
|
|
||||||
|
`control` originates in Owl and is actively maintained in ALT Linux.
|
||||||
|
|
||||||
|
### Usage in Rocky Linux
|
||||||
|
|
||||||
|
While the original `control` package in Owl and ALT Linux merely provides the common interface mentioned above for other packages to register their facilities with (and many packages in those distros do), it's been adapted in Rocky Linux to provide its own sub-packages with facility specifications and RPM trigger scripts for other packages coming from EL. This way, we can `control` those facilities and have custom settings persist (be automatically saved and restored) over package upgrades without us having to maintain forks of those other packages.
|
||||||
|
|
||||||
|
Initially, there are 2 sub-packages:
|
||||||
|
|
||||||
|
#### control
|
||||||
|
|
||||||
|
The main package providing the common interface, but no facilities of its own.
|
||||||
|
Please refer to `control(8)` man page for command-line usage syntax.
|
||||||
|
|
||||||
|
#### control-shadow
|
||||||
|
|
||||||
|
Facility files corresponding to the `shadow-utils` package. Currently, these allow to `control` access to 5 privileged programs (3 of them are by default SUID root and 2 `cap_setuid=ep`, thus posing risk to system security in case of vulnerabilities in them).
|
||||||
|
|
||||||
|
```
|
||||||
|
# control
|
||||||
|
chage public (public restricted)
|
||||||
|
gpasswd public (public wheelonly restricted)
|
||||||
|
newgidmap public (public wheelonly restricted)
|
||||||
|
newgrp public (public wheelonly restricted)
|
||||||
|
newuidmap public (public wheelonly restricted)
|
||||||
|
```
|
Loading…
Reference in New Issue
Block a user