[systemd-devel] [PATCH] units: add SecureBits
Topi Miettinen
toiwoton at gmail.com
Wed Feb 11 08:24:10 PST 2015
On 02/10/15 21:00, Lennart Poettering wrote:
> On Sat, 07.02.15 10:40, Topi Miettinen (toiwoton at gmail.com) wrote:
>
>> No setuid programs are expected to be executed, so add
>> SecureBits=no-setuid-fixup no-setuid-fixup-locked
>> to unit files.
>
> So, hmm, after reading the man page again: what's the rationale for
> precisely these bits?
>
> I mean no-setuid-fixup seems to be something that applies to setuid(),
> setresuid() calls and suchlike, which seems pretty uninteresting. Much
> more interesting is SECBIT_NOROOT, which disables suid binary
> handling...
Yes, noroot noroot-locked was actually my intention, sorry. I'll update
the patch.
Maybe all of "noroot noroot-locked no-setuid-fixup
no-setuid-fixup-locked" would be OK, but that probably needs another
look at the programs if they switch UIDs.
-Topi
>
> Can you elaborate?
>
> Lennart
>
More information about the systemd-devel
mailing list