[systemd-devel] [PATCH v2] units: add SecureBits

Topi Miettinen toiwoton at gmail.com
Wed Feb 11 09:26:51 PST 2015


On 02/11/15 16:33, Lennart Poettering wrote:
> On Wed, 11.02.15 18:32, Topi Miettinen (toiwoton at gmail.com) wrote:
> 
>> No setuid programs are expected to be executed, so add
>> SecureBits=noroot noroot-locked
>> to unit files. 
> 
> Applied! Thanks!
> 
> (I hope this is well tested!)

I think I should find some brown paper bags, it does not work (unlike
no-setuid-fixup which I have been using for some time for most
services), sorry. Looking at the code in kernel around SECURE_NOROOT use
cases I suppose the bit does not only control setuid execution (which is
by the way what the man page only talks about), but it also means that
all capabilities are lost when *any* programs are executed (including
the service that systemd is trying to launch), unless there are
filesystem capability bits enabled to support this.

With a bit more work, the needed filesystem capability bits could be
enabled at install time for these programs. I don't know how well distro
package tools handle this if at all.

Please revert the patch for now. Sorry for the trouble.

-Topi

> 
> Lennart
> 



More information about the systemd-devel mailing list