On Wed, 11.02.15 17:26, Topi Miettinen ([email protected]) wrote: > On 02/11/15 16:33, Lennart Poettering wrote: > > On Wed, 11.02.15 18:32, Topi Miettinen ([email protected]) wrote: > > > >> No setuid programs are expected to be executed, so add > >> SecureBits=noroot noroot-locked > >> to unit files. > > > > Applied! Thanks! > > > > (I hope this is well tested!) > > I think I should find some brown paper bags, it does not work (unlike > no-setuid-fixup which I have been using for some time for most > services), sorry. Looking at the code in kernel around SECURE_NOROOT use > cases I suppose the bit does not only control setuid execution (which is > by the way what the man page only talks about), but it also means that > all capabilities are lost when *any* programs are executed (including > the service that systemd is trying to launch), unless there are > filesystem capability bits enabled to support this. > > With a bit more work, the needed filesystem capability bits could be > enabled at install time for these programs. I don't know how well distro > package tools handle this if at all. > > Please revert the patch for now. Sorry for the trouble.
Done. NP. File caps is something we cannot really rely on I fear due to compat with NFS root and stuff, where they aren't available... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
