systemd: SecureBits=noroot-locked and documentation
Reindl Harald
h.reindl at thelounge.net
Sat Jul 20 23:07:57 UTC 2013
Hi
https://fedoraproject.org/wiki/User:Johannbg/QA/Systemd/Systemd.exec
the wiki seems to be outdated at this point, see freedesktop.org below
http://lists.freedesktop.org/archives/systemd-devel/2011-August/003273.html
capabilities(7) does not really explain what "SecureBits=noroot-locked"
exactly does and google "SECBIT_NOROOT_LOCKED" don't bring me further
IMHO "CapabilityBoundingSet" should be considered for all services
_________________________________________
my current httpd.service:
SecureBits=noroot-locked
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
"SecureBits=noroot" fails to start, i guess because the root-master process
"SecureBits=noroot-locked" works
i want to understand if it is correct right that this means a httpd-worker
once running with the "apache" user with no exploit ever could become
back root-perms
_________________________________________
https://fedoraproject.org/wiki/User:Johannbg/QA/Systemd/Systemd.exec
>> SecureBits=
>> Controls the secure bits set for the executed process. See capabilities(7) for
>> details. Takes a list of strings: keep-caps, keep-caps-locked, no-setuid-fixup,
>> no-setuid-fixup-locked, no-setuid-noroot and/or no-setuid-noroot-locked
http://www.freedesktop.org/software/systemd/man/systemd.exec.html
>> SecureBits=
>> Controls the secure bits set for the executed process. See capabilities(7) for
>> details. Takes a list of strings: keep-caps, keep-caps-locked, no-setuid-fixup,
>> no-setuid-fixup-locked, noroot and/or noroot-locked. This option may appear
>> more than once in which case the secure bits are ORed. If the empty string
>> is assigned to this option the bits are reset to 0.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130721/b78ae77d/attachment.sig>
More information about the devel
mailing list