[systemd-devel] [PATCH v2] units: add SecureBits
Lennart Poettering
lennart at poettering.net
Wed Feb 11 09:29:20 PST 2015
On Wed, 11.02.15 17:26, Topi Miettinen (toiwoton at gmail.com) wrote:
> On 02/11/15 16:33, Lennart Poettering wrote:
> > On Wed, 11.02.15 18:32, Topi Miettinen (toiwoton at gmail.com) wrote:
> >
> >> No setuid programs are expected to be executed, so add
> >> SecureBits=noroot noroot-locked
> >> to unit files.
> >
> > Applied! Thanks!
> >
> > (I hope this is well tested!)
>
> I think I should find some brown paper bags, it does not work (unlike
> no-setuid-fixup which I have been using for some time for most
> services), sorry. Looking at the code in kernel around SECURE_NOROOT use
> cases I suppose the bit does not only control setuid execution (which is
> by the way what the man page only talks about), but it also means that
> all capabilities are lost when *any* programs are executed (including
> the service that systemd is trying to launch), unless there are
> filesystem capability bits enabled to support this.
>
> With a bit more work, the needed filesystem capability bits could be
> enabled at install time for these programs. I don't know how well distro
> package tools handle this if at all.
>
> Please revert the patch for now. Sorry for the trouble.
Done. NP.
File caps is something we cannot really rely on I fear due to compat
with NFS root and stuff, where they aren't available...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list