[systemd-devel] question about SecureBits / NoNewPrivileges
Lennart Poettering
lennart at poettering.net
Thu Jul 25 11:00:32 PDT 2013
On Sat, 20.07.13 04:06, Reindl Harald (h.reindl at thelounge.net) wrote:
> Hi
>
> i try to secure the Apache-Webserver (mpm-prefork) as much as possible
>
> am i right that with the following settings in the systemd-unit after the child-process
> is forked with the "apache" user and the capabilities are reduced as below even a
> potential root exploit would have no success? "SecureBits=noroot" fails i guess
> because it even disallows the parent-process to run as root after
> start
IIRC combining NoNewPrivileges with CAP_SETUID doesn't really make much
sense as the latter is one way how to gain new privs, but the former
doesn't allow this.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list