On 07/20/2015 07:30 PM, Andrew Lutomirski wrote: >> (b) Make a copy of the file, put it in a directory which only the >> service user can read (or ship it with 750 permissions and the service >> group controlling it), and set fscaps. The downside is the large binary >> size (it has to be a copy, a link won't work). And the service user >> could still run the service with command line options that allow >> privilege escalation. >> > > If you set inheritable fscaps but not permitted, this should be reasonably > safe. Empirically, this causes the capability to end up in the P set, not the E set, which means that the application still needs to be capability to enable it. So it really doesn't help that much in the Go case, sadly. Although it is fairly close. -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
