[systemd-devel] Use of capabilities in default service files
Reindl Harald
h.reindl at thelounge.net
Mon Jul 20 04:52:42 PDT 2015
Am 20.07.2015 um 13:24 schrieb Florian Weimer:
> CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
> m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN )
> …
> What's the intent of these settings? Is it a form of hardening? If
> yes, it is rather ineffective because UID=0 does not need any
> capabilities to completely compromise the system.
UID=0 *does* need capabilities, that's the whole purpose of
CapabilityBoundingSet and so yes it is a form of hardening
http://linux.die.net/man/7/capabilities
our internal httpd package is using the following options and when you
remove CAP_NET_BIND_SERVICE it could not bind to port 80,
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150720/63f1a99d/attachment.sig>
More information about the systemd-devel
mailing list