On 02/10/15 21:00, Lennart Poettering wrote: > On Sat, 07.02.15 10:40, Topi Miettinen ([email protected]) wrote: > >> No setuid programs are expected to be executed, so add >> SecureBits=no-setuid-fixup no-setuid-fixup-locked >> to unit files. > > So, hmm, after reading the man page again: what's the rationale for > precisely these bits? > > I mean no-setuid-fixup seems to be something that applies to setuid(), > setresuid() calls and suchlike, which seems pretty uninteresting. Much > more interesting is SECBIT_NOROOT, which disables suid binary > handling...
Yes, noroot noroot-locked was actually my intention, sorry. I'll update the patch. Maybe all of "noroot noroot-locked no-setuid-fixup no-setuid-fixup-locked" would be OK, but that probably needs another look at the programs if they switch UIDs. -Topi > > Can you elaborate? > > Lennart > _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
