[systemd-devel] [PATCH] units: add SecureBits
Lennart Poettering
lennart at poettering.net
Wed Feb 11 08:32:54 PST 2015
On Wed, 11.02.15 16:24, Topi Miettinen (toiwoton at gmail.com) wrote:
> On 02/10/15 21:00, Lennart Poettering wrote:
> > On Sat, 07.02.15 10:40, Topi Miettinen (toiwoton at gmail.com) wrote:
> >
> >> No setuid programs are expected to be executed, so add
> >> SecureBits=no-setuid-fixup no-setuid-fixup-locked
> >> to unit files.
> >
> > So, hmm, after reading the man page again: what's the rationale for
> > precisely these bits?
> >
> > I mean no-setuid-fixup seems to be something that applies to setuid(),
> > setresuid() calls and suchlike, which seems pretty uninteresting. Much
> > more interesting is SECBIT_NOROOT, which disables suid binary
> > handling...
>
> Yes, noroot noroot-locked was actually my intention, sorry. I'll update
> the patch.
>
> Maybe all of "noroot noroot-locked no-setuid-fixup
> no-setuid-fixup-locked" would be OK, but that probably needs another
> look at the programs if they switch UIDs.
I'd be careful with more than noroot, since the other flags alter
bbehaviour across setuid() and similar calls, and much of our code
makes assumptions that will likely not hold if you set those bits...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list