On 02/06/2013 05:03 PM, Chow Loong Jin wrote: > On 06/02/2013 16:27, Martin Wuertele wrote: >> * Shawn <shawnland...@gmail.com> [2013-02-05 18:43]: >> >>> socket-activation in systemd _helps_ security in that you can give an >>> unprivlidged process a listening port under 1024. (using a privileged >>> configuration file) >> Privileged vs. unprivileged port is not really a secuitry improvement. > I think he's referring to allowing processes which require listening to a port > under 1024 to run without superuser privileges. I believe our implementation > on > Debian (e.g. Apache) is to have the process start as root, start listening, > and > then setuid to an unprivileged user. > Which would be the wrong way of doing things / wrong reason for using root as running user, since you can set the CAP_NET_BIND_SERVICE capability... (man capabilities ...)
Thomas P.S: I know this since the nice talk from Luciano last summer at debconf! :) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51129451.3070...@debian.org
