Hi https://fedoraproject.org/wiki/User:Johannbg/QA/Systemd/Systemd.exec the wiki seems to be outdated at this point, see freedesktop.org below http://lists.freedesktop.org/archives/systemd-devel/2011-August/003273.html capabilities(7) does not really explain what "SecureBits=noroot-locked" exactly does and google "SECBIT_NOROOT_LOCKED" don't bring me further IMHO "CapabilityBoundingSet" should be considered for all services _________________________________________ my current httpd.service: SecureBits=noroot-locked NoNewPrivileges=yes CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID "SecureBits=noroot" fails to start, i guess because the root-master process "SecureBits=noroot-locked" works i want to understand if it is correct right that this means a httpd-worker once running with the "apache" user with no exploit ever could become back root-perms _________________________________________ https://fedoraproject.org/wiki/User:Johannbg/QA/Systemd/Systemd.exec >> SecureBits= >> Controls the secure bits set for the executed process. See capabilities(7) for >> details. Takes a list of strings: keep-caps, keep-caps-locked, no-setuid-fixup, >> no-setuid-fixup-locked, no-setuid-noroot and/or no-setuid-noroot-locked http://www.freedesktop.org/software/systemd/man/systemd.exec.html >> SecureBits= >> Controls the secure bits set for the executed process. See capabilities(7) for >> details. Takes a list of strings: keep-caps, keep-caps-locked, no-setuid-fixup, >> no-setuid-fixup-locked, noroot and/or noroot-locked. This option may appear >> more than once in which case the secure bits are ORed. If the empty string >> is assigned to this option the bits are reset to 0.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
