[systemd-devel] [PATCH] units: add SecureBits
Lennart Poettering
lennart at poettering.net
Tue Feb 10 13:00:22 PST 2015
On Sat, 07.02.15 10:40, Topi Miettinen (toiwoton at gmail.com) wrote:
> No setuid programs are expected to be executed, so add
> SecureBits=no-setuid-fixup no-setuid-fixup-locked
> to unit files.
So, hmm, after reading the man page again: what's the rationale for
precisely these bits?
I mean no-setuid-fixup seems to be something that applies to setuid(),
setresuid() calls and suchlike, which seems pretty uninteresting. Much
more interesting is SECBIT_NOROOT, which disables suid binary
handling...
Can you elaborate?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list