Granting a capability to a service
fweimer at redhat.com
Tue Jul 21 11:18:36 UTC 2015
On 07/20/2015 07:30 PM, Andrew Lutomirski wrote:
>> (b) Make a copy of the file, put it in a directory which only the
>> service user can read (or ship it with 750 permissions and the service
>> group controlling it), and set fscaps. The downside is the large binary
>> size (it has to be a copy, a link won't work). And the service user
>> could still run the service with command line options that allow
>> privilege escalation.
> If you set inheritable fscaps but not permitted, this should be reasonably
Empirically, this causes the capability to end up in the P set, not the
E set, which means that the application still needs to be capability to
enable it. So it really doesn't help that much in the Go case, sadly.
Although it is fairly close.
Florian Weimer / Red Hat Product Security
More information about the devel