Granting a capability to a service

Reindl Harald h.reindl at
Mon Jul 20 23:02:25 UTC 2015

Am 20.07.2015 um 23:34 schrieb Steve Grubb:
> On Monday, July 20, 2015 12:45:28 PM Andrew Lutomirski wrote:
>> On Mon, Jul 20, 2015 at 12:26 PM, Steve Grubb <sgrubb at> wrote:
>>> The real problem with capabilities is there is no way to say, I trust this
>>> child process with this capability, but don't let it get inherited beyond
>>> this process that I'm about to start.
>> Why would you want to do that?
> Because you know exactly why the program needs a capability and its not known
> to have children. Therefore any children must be because of an exploit. The
> way it is, capabilities are inherited and you can't stop it

when you start a service like let say a webserver and take away 
capabilities for security reasons than you want *for sure* to have them 
also inherited for *any* scripting language calling whatever via system()

it's expected behavior that settings for a systemd-unit like 
capabilities or namespaces are inherited for *every* prcoess of that 
service and not just for ExecStart itself leaving children unprotected

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the devel mailing list