[systemd-devel] question about SecureBits / NoNewPrivileges

Lennart Poettering lennart at poettering.net
Thu Jul 25 11:00:32 PDT 2013


On Sat, 20.07.13 04:06, Reindl Harald (h.reindl at thelounge.net) wrote:

> Hi
> 
> i try to secure the Apache-Webserver (mpm-prefork) as much as possible
> 
> am i right that with the following settings in the systemd-unit after the child-process
> is forked with the "apache" user and the capabilities are reduced as below even a
> potential root exploit would have no success? "SecureBits=noroot" fails i guess
> because it even disallows the parent-process to run as root after
> start


IIRC combining NoNewPrivileges with CAP_SETUID doesn't really make much
sense as the latter is one way how to gain new privs, but the former
doesn't allow this.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list