Granting a capability to a service

Florian Weimer fweimer at
Tue Jul 21 11:18:36 UTC 2015

On 07/20/2015 07:30 PM, Andrew Lutomirski wrote:

>> (b) Make a copy of the file, put it in a directory which only the
>> service user can read (or ship it with 750 permissions and the service
>> group controlling it), and set fscaps.  The downside is the large binary
>> size (it has to be a copy, a link won't work).  And the service user
>> could still run the service with command line options that allow
>> privilege escalation.
> If you set inheritable fscaps but not permitted, this should be reasonably
> safe.

Empirically, this causes the capability to end up in the P set, not the
E set, which means that the application still needs to be capability to
enable it.  So it really doesn't help that much in the Go case, sadly.
Although it is fairly close.

Florian Weimer / Red Hat Product Security

More information about the devel mailing list