Granting a capability to a service

Florian Weimer fweimer at
Tue Jul 21 07:52:47 UTC 2015

On 07/21/2015 06:22 AM, Steve Grubb wrote:

> Sure, there are cases where you know that. But let's take 'ping' as an example 
> of what I'm talking about. It should never have children. If it does, its been 
> exploited.

You can't know that.  ping performs name resolution, and it's perfectly
fine for a NSS module to create a subprocess (with the appropriate clone
flags etc., to avoid interfering with the process handling).  In fact,
this approach could well be used to enhance security, and may be
required if the NSS module uses complex libraries such as OpenSSL.  (See
nss_ldap vs nss_ldapd for reasons for this kind of process separation.)

Florian Weimer / Red Hat Product Security

More information about the devel mailing list