On Sat, 20.07.13 04:06, Reindl Harald (h.rei...@thelounge.net) wrote: > Hi > > i try to secure the Apache-Webserver (mpm-prefork) as much as possible > > am i right that with the following settings in the systemd-unit after the > child-process > is forked with the "apache" user and the capabilities are reduced as below > even a > potential root exploit would have no success? "SecureBits=noroot" fails i > guess > because it even disallows the parent-process to run as root after > start
IIRC combining NoNewPrivileges with CAP_SETUID doesn't really make much sense as the latter is one way how to gain new privs, but the former doesn't allow this. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
