Granting a capability to a service
Steve Grubb
sgrubb at redhat.com
Tue Jul 21 04:22:45 UTC 2015
On Tuesday, July 21, 2015 01:02:25 AM Reindl Harald wrote:
> Am 20.07.2015 um 23:34 schrieb Steve Grubb:
> > On Monday, July 20, 2015 12:45:28 PM Andrew Lutomirski wrote:
> >> On Mon, Jul 20, 2015 at 12:26 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> >>> The real problem with capabilities is there is no way to say, I trust
> >>> this
> >>> child process with this capability, but don't let it get inherited
> >>> beyond
> >>> this process that I'm about to start.
> >>
> >> Why would you want to do that?
> >
> > Because you know exactly why the program needs a capability and its not
> > known to have children. Therefore any children must be because of an
> > exploit. The way it is, capabilities are inherited and you can't stop it
>
> when you start a service like let say a webserver and take away
> capabilities for security reasons than you want *for sure* to have them
> also inherited for *any* scripting language calling whatever via system()
>
> it's expected behavior that settings for a systemd-unit like
> capabilities or namespaces are inherited for *every* prcoess of that
> service and not just for ExecStart itself leaving children unprotected
Sure, there are cases where you know that. But let's take 'ping' as an example
of what I'm talking about. It should never have children. If it does, its been
exploited. I do not want any capabilities passed to those children.
-Steve
More information about the devel
mailing list