Granting a capability to a service
Florian Weimer
fweimer at redhat.com
Tue Jul 21 11:18:36 UTC 2015
On 07/20/2015 07:30 PM, Andrew Lutomirski wrote:
>> (b) Make a copy of the file, put it in a directory which only the
>> service user can read (or ship it with 750 permissions and the service
>> group controlling it), and set fscaps. The downside is the large binary
>> size (it has to be a copy, a link won't work). And the service user
>> could still run the service with command line options that allow
>> privilege escalation.
>>
>
> If you set inheritable fscaps but not permitted, this should be reasonably
> safe.
Empirically, this causes the capability to end up in the P set, not the
E set, which means that the application still needs to be capability to
enable it. So it really doesn't help that much in the Go case, sadly.
Although it is fairly close.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list