[systemd-devel] Use of capabilities in default service files
Lennart Poettering
lennart at poettering.net
Wed Jul 22 12:43:50 PDT 2015
On Tue, 21.07.15 13:24, Florian Weimer (fweimer at redhat.com) wrote:
> And that's fine. But doing hardening for UID=0 services seems a very
> bad practice to me because it looks like someone is assuming that UID=0
> without capabilities is just another “nobody” user. Which is not
> surprising, because capabilities are often advertised that way.
I'd be happy to take a patch that adds a comment about this to the
CapabilityBoundingSet= option in the man page, explaining that one
should not mistake a UID=0 user zero caps as equivalent to a nobody
user.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list