Re: [systemd-devel] [PATCH] units: add SecureBits

2015-04-24 Thread Lennart Poettering
On Fri, 24.04.15 16:42, Topi Miettinen (toiwo...@gmail.com) wrote: > > I think all long-running ones that reasonably can already do. I mean, > > things like logind simple need too many caps, it's really not worth > > trying to make them run under a different uid, because they have so > > much priv

Re: [systemd-devel] [PATCH] units: add SecureBits

2015-04-24 Thread Topi Miettinen
On 04/24/15 14:52, Lennart Poettering wrote: > On Sat, 14.02.15 12:32, Topi Miettinen (toiwo...@gmail.com) wrote: > > Sorry for the late response, still going through piles of mail. > >> No setuid programs are expected to be executed, so add >> SecureBits=no-setuid-fixup no-setuid-fixup-l

Re: [systemd-devel] [PATCH] units: add SecureBits

2015-04-24 Thread Lennart Poettering
On Sat, 14.02.15 12:32, Topi Miettinen (toiwo...@gmail.com) wrote: Sorry for the late response, still going through piles of mail. > No setuid programs are expected to be executed, so add > SecureBits=no-setuid-fixup no-setuid-fixup-locked > to unit files. > >>> > >>> So, hmm, afte

Re: [systemd-devel] [PATCH] units: add SecureBits

2015-02-14 Thread Topi Miettinen
On 02/11/15 16:32, Lennart Poettering wrote: > On Wed, 11.02.15 16:24, Topi Miettinen (toiwo...@gmail.com) wrote: > >> On 02/10/15 21:00, Lennart Poettering wrote: >>> On Sat, 07.02.15 10:40, Topi Miettinen (toiwo...@gmail.com) wrote: >>> No setuid programs are expected to be executed, so add

Re: [systemd-devel] [PATCH] units: add SecureBits

2015-02-11 Thread Lennart Poettering
On Wed, 11.02.15 16:24, Topi Miettinen (toiwo...@gmail.com) wrote: > On 02/10/15 21:00, Lennart Poettering wrote: > > On Sat, 07.02.15 10:40, Topi Miettinen (toiwo...@gmail.com) wrote: > > > >> No setuid programs are expected to be executed, so add > >> SecureBits=no-setuid-fixup no-setuid-fixup-

Re: [systemd-devel] [PATCH] units: add SecureBits

2015-02-11 Thread Topi Miettinen
On 02/10/15 21:00, Lennart Poettering wrote: > On Sat, 07.02.15 10:40, Topi Miettinen (toiwo...@gmail.com) wrote: > >> No setuid programs are expected to be executed, so add >> SecureBits=no-setuid-fixup no-setuid-fixup-locked >> to unit files. > > So, hmm, after reading the man page again: what'

Re: [systemd-devel] [PATCH] units: add SecureBits

2015-02-10 Thread Lennart Poettering
On Sat, 07.02.15 10:40, Topi Miettinen (toiwo...@gmail.com) wrote: > No setuid programs are expected to be executed, so add > SecureBits=no-setuid-fixup no-setuid-fixup-locked > to unit files. So, hmm, after reading the man page again: what's the rationale for precisely these bits? I mean no-set

[systemd-devel] [PATCH] units: add SecureBits

2015-02-07 Thread Topi Miettinen
No setuid programs are expected to be executed, so add SecureBits=no-setuid-fixup no-setuid-fixup-locked to unit files. --- units/systemd-hostnamed.service.in| 1 + units/systemd-importd.service.in | 1 + units/systemd-journal-gatewayd.service.in | 1 + units/systemd-journal-remot