Re: [systemd-devel] Use of capabilities in default service files

2015-07-22 Thread Lennart Poettering
On Tue, 21.07.15 13:24, Florian Weimer (fwei...@redhat.com) wrote: > And that's fine. But doing hardening for UID=0 services seems a very > bad practice to me because it looks like someone is assuming that UID=0 > without capabilities is just another “nobody” user. Which is not > surprising, bec

Re: [systemd-devel] Use of capabilities in default service files

2015-07-22 Thread Lennart Poettering
B1;4002;0cOn Mon, 20.07.15 13:58, Florian Weimer (fwei...@redhat.com) wrote: > On 07/20/2015 01:52 PM, Reindl Harald wrote: > > > > > > Am 20.07.2015 um 13:24 schrieb Florian Weimer: > >> CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP > >> m4_ifdef(`HAVE_SMACK', CAP_MAC_AD

Re: [systemd-devel] Use of capabilities in default service files

2015-07-22 Thread Reindl Harald
Am 21.07.2015 um 13:24 schrieb Florian Weimer: On 07/20/2015 02:34 PM, Reindl Harald wrote: Am 20.07.2015 um 13:58 schrieb Florian Weimer: On 07/20/2015 01:52 PM, Reindl Harald wrote: Am 20.07.2015 um 13:24 schrieb Florian Weimer: CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID

Re: [systemd-devel] Use of capabilities in default service files

2015-07-22 Thread Reindl Harald
Am 20.07.2015 um 13:24 schrieb Florian Weimer: CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN ) … What's the intent of these settings? Is it a form of hardening? If yes, it is rather ineffective because UID=0 does not need any capabi

Re: [systemd-devel] Use of capabilities in default service files

2015-07-22 Thread Reindl Harald
Am 20.07.2015 um 13:58 schrieb Florian Weimer: On 07/20/2015 01:52 PM, Reindl Harald wrote: Am 20.07.2015 um 13:24 schrieb Florian Weimer: CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN ) … What's the intent of these settings? Is

Re: [systemd-devel] Use of capabilities in default service files

2015-07-22 Thread Lennart Poettering
On Mon, 20.07.15 13:24, Florian Weimer (fwei...@redhat.com) wrote: > What's the intent of these settings? Is it a form of hardening? If > yes, it is rather ineffective because UID=0 does not need any > capabilities to completely compromise the system. Well, we run our stuff with minimal attack

Re: [systemd-devel] Use of capabilities in default service files

2015-07-21 Thread David Herrmann
Hi On Tue, Jul 21, 2015 at 1:24 PM, Florian Weimer wrote: > And that's fine. But doing hardening for UID=0 services seems a very > bad practice to me because it looks like someone is assuming that UID=0 > without capabilities is just another “nobody” user. Which is not > surprising, because cap

Re: [systemd-devel] Use of capabilities in default service files

2015-07-21 Thread Florian Weimer
On 07/20/2015 02:34 PM, Reindl Harald wrote: > > > Am 20.07.2015 um 13:58 schrieb Florian Weimer: >> On 07/20/2015 01:52 PM, Reindl Harald wrote: >>> >>> >>> Am 20.07.2015 um 13:24 schrieb Florian Weimer: CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP m4_ifdef(`HA

Re: [systemd-devel] Use of capabilities in default service files

2015-07-20 Thread Florian Weimer
On 07/20/2015 01:52 PM, Reindl Harald wrote: > > > Am 20.07.2015 um 13:24 schrieb Florian Weimer: >> CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP >> m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN ) >> … >> What's the intent of these settings? Is it a form of hardening? If >> yes,