One of the major features of the so-called "hardened Linux" systems, like seLinux (which was co-developed by the US National Security Agency!), is to reduce the reliance upon the root user-id. For example, many daemons (services) must run or start as root simply because they need to be able to open TCP/IP port numbers less than 1024. Hardened systems introduce the idea of capabilities, granting the program the permission to do specific things but only those things.
PAM (pluggable authentication modules) is a system that, as far as I know, is included in most distros already, hardened or not. This system puts many authentication tasks, ranging from user logins to e-mail, or really, any application that wishes to use PAM, in a single common place governed by a single set of flexible rules that can be managed from the contents of a single directory.
|