On Jul 20, 2015 4:20 AM, "Florian Weimer" <fwei...@redhat.com> wrote: > > On 07/18/2015 03:53 PM, Andrew Lutomirski wrote: > > > Nothing. Inheritable capabilities are nearly useless. > > Wow. > > The program that sparked this thread is a Go program. So basically, we > have these options if we do not want to run with full capabilities: > > (a) Run with UID=0 with restricted capabilities, like many systemd > services already do. Do not use fscaps (which are not needed because of > the UID=0 special case). This is rather pointless because UID=0 does > not need capabilities to compromise the system. > > (b) Make a copy of the file, put it in a directory which only the > service user can read (or ship it with 750 permissions and the service > group controlling it), and set fscaps. The downside is the large binary > size (it has to be a copy, a link won't work). And the service user > could still run the service with command line options that allow > privilege escalation. >
If you set inheritable fscaps but not permitted, this should be reasonably safe. Alas, you will have to remove fscaps entirely to be compatible with ambient caps. --Andy --Andy
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
