<p dir="ltr"><br>
On Jul 21, 2015 4:18 AM, "Florian Weimer" <<a href="mailto:fweimer@redhat.com">fweimer@redhat.com</a>> wrote:<br>
><br>
> On 07/20/2015 07:30 PM, Andrew Lutomirski wrote:<br>
><br>
> >> (b) Make a copy of the file, put it in a directory which only the<br>
> >> service user can read (or ship it with 750 permissions and the service<br>
> >> group controlling it), and set fscaps. The downside is the large binary<br>
> >> size (it has to be a copy, a link won't work). And the service user<br>
> >> could still run the service with command line options that allow<br>
> >> privilege escalation.<br>
> >><br>
> ><br>
> > If you set inheritable fscaps but not permitted, this should be reasonably<br>
> > safe.<br>
><br>
> Empirically, this causes the capability to end up in the P set, not the<br>
> E set, which means that the application still needs to be capability to<br>
> enable it. So it really doesn't help that much in the Go case, sadly.<br>
> Although it is fairly close.</p>
<p dir="ltr">Try 2: set the capability in the inheritable set and set the effective bit. (The effective fscap is a single bit, not a mask. You still program it with "=ei" because the syntax is wrong.)</p>
<p dir="ltr">--Andy</p>
<p dir="ltr">><br>
> --<br>
> Florian Weimer / Red Hat Product Security<br>
> --<br>
> devel mailing list<br>
> <a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
> <a href="https://admin.fedoraproject.org/mailman/listinfo/devel">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
> Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct">http://fedoraproject.org/code-of-conduct</a></p>