[systemd-devel] About http://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html

[Michael Biebl]

You are confusing a user service (which is installed in
/usr/lib/systemd/user) with priviledge dropping via User=. Those are
different things.

2016-12-09 2:01 GMT+01:00 Reindl Harald <h.reindl at thelounge.net>:
>
>
> Am 09.12.2016 um 01:56 schrieb Michael Biebl:
>>
>> Btw, I think we are lacking a good systemd sandboxing howto/tutorial.
>> The one linked from fdo
>> (http://0pointer.de/blog/projects/security.html) is pretty dated and
>> the systemd.exec man page is not coherent enough with regards to
>> security/sandboxing.
>>
>> Related to that, I think it would be good if we would annotate in the
>> man page, which sandboxing features work for user services and which
>> don't. It's not always immediately obvious which feature requires root
>> privileges
>
>
> "requires root privileges" - a question here
>
>
> in my understaing that features are applied *before* drop the privileges to
> "User" and "Group"
>
> User=sa-milt
> Group=sa-milt
> PrivateTmp=yes
> PrivateDevices=yes
> NoNewPrivileges=yes
> CapabilityBoundingSet=CAP_KILL
> RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_PACKET AF_X25
> SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
> delete_module fanotify_init finit_module get_mempolicy init_module
> io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp
> kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages
> open_by_handle_at perf_event_open pivot_root process_vm_readv
> process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff
> swapon umount2 uselib vmsplice
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel



-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?