On Tuesday, July 21, 2015 01:02:25 AM Reindl Harald wrote: > Am 20.07.2015 um 23:34 schrieb Steve Grubb: > > On Monday, July 20, 2015 12:45:28 PM Andrew Lutomirski wrote: > >> On Mon, Jul 20, 2015 at 12:26 PM, Steve Grubb <sgrubb@xxxxxxxxxx> wrote: > >>> The real problem with capabilities is there is no way to say, I trust > >>> this > >>> child process with this capability, but don't let it get inherited > >>> beyond > >>> this process that I'm about to start. > >> > >> Why would you want to do that? > > > > Because you know exactly why the program needs a capability and its not > > known to have children. Therefore any children must be because of an > > exploit. The way it is, capabilities are inherited and you can't stop it > > when you start a service like let say a webserver and take away > capabilities for security reasons than you want *for sure* to have them > also inherited for *any* scripting language calling whatever via system() > > it's expected behavior that settings for a systemd-unit like > capabilities or namespaces are inherited for *every* prcoess of that > service and not just for ExecStart itself leaving children unprotected Sure, there are cases where you know that. But let's take 'ping' as an example of what I'm talking about. It should never have children. If it does, its been exploited. I do not want any capabilities passed to those children. -Steve -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
