[systemd-devel] Running a systemd service in capability-only environment as non-root user
Michal Witanowski
m.witanowski at samsung.com
Wed May 28 06:36:49 PDT 2014
On 05/28/2014 01:52 PM, Mantas Mikulėnas wrote:
> Not sure what security hole you see here. If the executable owns
> cap_foo=ei (*not* cap_foo=eip), then running it will not grant any
> capabilities unless its process (or the parent process) explicitly
> adds them to the inheritable set...
And that's the solution - using "ei" instead of "eip". Why I haven't
thought about it earlier... Thank you very much!
BRs,
Michal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140528/bd99a1e6/attachment.html>
More information about the systemd-devel
mailing list