Am 20.07.2015 um 13:24 schrieb Florian Weimer:
CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN ) … What's the intent of these settings? Is it a form of hardening? If yes, it is rather ineffective because UID=0 does not need any capabilities to completely compromise the system.
UID=0 *does* need capabilities, that's the whole purpose of CapabilityBoundingSet and so yes it is a form of hardening
http://linux.die.net/man/7/capabilitiesour internal httpd package is using the following options and when you remove CAP_NET_BIND_SERVICE it could not bind to port 80,
PrivateTmp=yes PrivateDevices=yes NoNewPrivileges=yesCapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
