On Jul 20, 2015 4:20 AM, "Florian Weimer" <fweimer@xxxxxxxxxx> wrote:
>
> On 07/18/2015 03:53 PM, Andrew Lutomirski wrote:
>
> > Nothing. Inheritable capabilities are nearly useless.
>
> Wow.
>
> The program that sparked this thread is a Go program. So basically, we
> have these options if we do not want to run with full capabilities:
>
> (a) Run with UID=0 with restricted capabilities, like many systemd
> services already do. Do not use fscaps (which are not needed because of
> the UID=0 special case). This is rather pointless because UID=0 does
> not need capabilities to compromise the system.
>
> (b) Make a copy of the file, put it in a directory which only the
> service user can read (or ship it with 750 permissions and the service
> group controlling it), and set fscaps. The downside is the large binary
> size (it has to be a copy, a link won't work). And the service user
> could still run the service with command line options that allow
> privilege escalation.
>
If you set inheritable fscaps but not permitted, this should be reasonably safe.
Alas, you will have to remove fscaps entirely to be compatible with ambient caps.
--Andy
--Andy
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
